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Chapter 1. apache web server 


In this chapter we learn how to setup a web server with the apache software. 


According to NetCraft (http://hews.netcraft.com/archives/web server survey.html) about 
seventy percent of all web servers are running on Apache. The name is derived from a 
patchy web server, because of all the patches people wrote for the NCSA httpd server. 


Later chapters will expand this web server into a LAMP stack (Linux, Apache, Mysql, Perl/ 
PHP/Python). 
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1.1. introduction to apache 


1.1.1. installing on Debian 


This screenshot shows that there is no apache server installed, nor does the /var/www 
directory exist. 


root@debian7:~# ls -l /var/www 
ls: cannot access /var/www: No such file or directory 
root@debian7:~# dpkg -1 | grep apache 


To install apache on Debian: 


root@debian7:~# aptitude install apache2 

The following NEW packages will be installed: 
apache2 apache2-mpm-workerí(a) apache2-utils{a} apache2.2-bin{a} apache2.2-com\ 

mon{a} libaprl{a} libaprutill{a} libaprutill-dbd-sqlite3(a) libaprutill-ldap{a}\ 
ssl-cert{a} 

O packages upgraded, 10 newly installed, 0 to remove and 0 not upgraded. 

Need to get 1,487 kB of archives. After unpacking 5,673 kB will be used. 

Do you want to continue? [Y/n/?] 


After installation, the same two commands as above will yield a different result: 


root@debian7:~# ls -l /var/www 

total 4 

rw e=- bC l root root lain Apr 29 11:55 index: NEm 

root@debian7:~# dpkg -1 | grep apache | tr -s ' ' 

ii apache2 2.2.22-13+deb7ul amd64 Apache HTTP Server metapackage 

ii apache2-mpm-worker 2.2.22-13+deb7ul amd64 Apache HTTP Server - high speed th\ 
readed model 

ii apache2-utils 2.2.22-13+deb7ul amd64 utility programs for webservers 

ii apache2.2-bin 2.2.22-13+deb7ul amd64 Apache HTTP Server common binary files 
ii apache2.2-common 2.2.22-13+deb7ul amd64 Apache HTTP Server common files 
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1.1.2. installing on RHEL/CentOS 


Note that Red Hat derived distributions use httpd as package and process name instead of 
apache. 


To verify whether apache is installed in CentOS/RHEL: 


[root@centos65 ~]# rpm -q httpd 

package httpd is not installed 

[root@centos65 ~]# ls -1 /var/www 

ls: cannot access /var/www: No such file or directory 


To install apache on CentOS: 


[root@centos65 ~]# yum install httpd 


After running the yum install httpd command, the Centos 6.5 server has apache installed 
and the /var/www directory exists. 


[root@centos65 -]# rpm -q httpd 
httpd-2.2.15-30.e16.centos.x86_64 

[root@centos65 ~]# ls -1 /var/www 

total 16 

drwxr-xr-x. 2 root root 4096 Apr 3 23:57 cgi-bin 
drwxr-xr-xs 3 root root 4096 May 6 13:708 error 
drwxr xr x. 2 Toot root 4096 Apr 3723:57 NEm 
drwxr-xr-x. 3 root root 4096 May 6 13:08 icons 
[root@centos65 ~]# 
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1.1.3. running apache on Debian 


This is how you start apache2 on Debian. 


root@debian7:~# service apache2 status 

Apache2 is NOT running. 

root@debian7:~# service apache2 start 

Starting web server: apache2apache2: Could not reliably determine the server's \ 
fully qualified domain name, using 127.0.1.1 for ServerName 


To verify, run the service apache2 status command again or use ps. 


root@debian7:~# service apache2 status 
Apache2 is running (pid 3680). 
root@debian7:~# ps -C apache2 


BEDA EIE TIME CMD 
3680 ? 00:00:00 apache2 
SIS) 00:00:00 apache2 
3684 ? 00:00:00 apache2 
3685 ? 00:00:00 apache2 


root @debian7:~# 


Or use wget and file to verify that your web server serves an html document. 


root@debian7:~# wget 127.0.0.1 
——2A0IAO5—06 SEDO aepo 52. 5s] 1L/ 


Connecting to 127.0.0.1:80... connected. 

HTTP request sent, awaiting response... 200 OK 

Length: 177 [text/html] 

Saving to: 'index.html' 

100%[ > lay, --.-K/s in Os 
2014-05-06 13:27:02 (15.8 MB/s) - 'index.html' saved [177/177] 


root@debian7:~# file index.html 
index.html: HTML document, ASCII text 
root@debian7:-# 


Or verify that apache is running by opening a web browser, and browse to the ip-address of 
your server. An Apache test page should be shown. 


You can do the following to quickly avoid the 'could not reliably determine the fqdn' message 
when restarting apache. 


root@debian7:~# echo ServerName Debian7 >> /etc/apache2/apache2.conf 
root@debian7:~# service apache2 restart 

Restarting web server: apache2 ... waiting 

root @debian7:~# 
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1.1.4. running apache on CentOS 


Starting the httpd on RHEL/CentOS is done with the service command. 


[root@centos65 ~]# service httpd status 
httpd is stopped 
[root@centos65 ~]# service httpd start 
Starting httpd: httpd: Could not reliably determine the server's fully qualifie\ 
d domain name, using 127.0.0.1 for ServerName 

E Os 1 
[root@centos65 ~]# 


To verify that apache is running, use ps or issue the service httpd status command again. 


[root@centos65 ~]# service httpd status 
neted (pia 2410) IS running. 
[root@centos65 ~]# ps -C httpd 


BEDER OY TIME CMD 
2410 ? 00:00:00 httpd 
2412 ? 00:00:00 httpd 
AIL SS TE 00:00:00 httpd 
2414 ? 00:00:00 httpd 
2415 2? 00T 00r (ONO) hEEpd 
2416 ? 00:00:00 httpd 
24017 2? 00:00:00 httpd 
2418 ? 00:00:00 httpd 
ZAM Oe 00:00:00 httpd 


[root@centos65 ~]# 


To prevent the 'Could not reliably determine the fqdn' message, issue the following 
command. 


[root@centos65 ~]# echo ServerName Centos65 >> /etc/httpd/conf/httpd.conf 
[root@centos65 ~]# service httpd restart 


Stopping httpd: [ OK ] 
Starting httpd: [ OK ] 
[root@centos65 ~]# 
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1.1.5. index file on CentOS 


CentOS does not provide a standard index.html or index.php file. A simple wget gives an 
error. 


[root@centos65 ~]# wget 127.0.0.1 

==2014=05=06 3Hs 51H09 22—— Iovieingy// 127 50) 0) 5 177 

Connecting to 127.0.0.1:80... connected. 

HTTP request sent, awaiting response... 403 Forbidden 
2014-05-06 15:10:22 ERROR 403: Forbidden. 


Instead when visiting the ip-address of your server in a web browser you get a noindex.html 
page. You can verify this using wget. 


[root@centos65 ~]# wget http://127.0.0.1/error/noindex.html 
CON OS OGM GEO E ETE II EOS error /aolinde= htm 
Connecting to 127.0.0.1:80... connected. 

HTTP request sent, awaiting response... 200 OK 

Length: 5039 (4.9K) [text/html] 

Saving to: "noindex.html" 


100$[ >] 95 0S ECCE S in Os 


2014-05-06 15:16:05 (289 MB/s) - "noindex.html" saved [5039/5039] 


[root@centos65 ~]# file noindex.html 
noindex.html: HTML document text 
[root@centos65 ~]# 


Any custom index.html file in /var/www/html will immediately serve as an index for this 
web server. 


[root@centos65 ~]# echo 'Welcome to my website' > /var/www/html/index.html 
[root@centos65 ~]# wget http://127.0.0.1 

SAA SOS DCS ESSE EEP: O ONE 

Connecting to 1270.0, 1:80... connected. 

HTTP request sent, awaiting response... 200 OK 

Length: 22 [text/html] 

Saving to: "index.html" 


100% [ >z] 22 --.-K/s in Os 
2014-05-06 15:19:16 (1.95 MB/s) - "index.html" saved [22/22] 


[root@centos65 ~]# cat index.html 
Welcome to my website 
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1.1.6. default website 


Changing the default website of a freshly installed apache web server is easy. All you need 
to do is create (or change) an index.html file in the DocumentRoot directory. 


To locate the DocumentRoot directory on Debian: 


root@debian7:~# grep DocumentRoot /etc/apache2/sites-available/default 
DocumentRoot /var/www 


This means that /var/www/index.html is the default web site. 


root@debian7:~# cat /var/www/index.html 

<html><body><h1>It works!</h1> 

<p>This is the default web page for this server.</p> 

<p>The web server software is running but no content has been added, yet.</p> 
«/body»«/html» 

root @debian7:~# 


This screenshot shows how to locate the DocumentRoot directory on RHEL/CentOS. 


[root@centos65 ~]# grep “DocumentRoot /etc/httpd/conf/httpd. conf 
DocumentRoot "/var/www/html" 


RHEL/CentOS have no default web page (only the noindex.html error page mentioned 
before). But an index.html file created in /var/www/html/ will automatically be used as 
default page. 


[root@centos65 ~]# echo '<html><head><title>Default website</title></head><body\ 
><p>A new web page</p></body></html>' > /var/www/html/index.html 

[root@centos65 ~]# cat /var/www/html/index.html 

<html><head><title>Default website</title></head><body><p>A new web page</p></b\ 
ody»«/html» 

[root@centos65 ~]# 
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1.1.7. apache configuration 


There are many similarities, but also a couple of differences when configuring apache on 
Debian or on CentOS. Both Linux families will get their own chapters with examples. 


All configuration on RHEL/CentOS is done in /etc/httpd. 


[root@centos65 ~]# ls -l /etc/httpd/ 
total 8 


drwxr-xr-x. 2 root root 4096 May 6 13:08 conf 

drwxr-xr-x. 2 root root 4096 May 6 13:08 conf.d 

lrwxrwxrwx. 1 root root 19 May 6 13085 logs 71 /yar/log/httpad 
lrwxrwxrwx. 1 root root 29 May 6 13:08 modules -> ../../usr/lib64/httpd/moduN 
les 

lrwxrwxrwx. 1 root root 19 May 6 13:08 run -> ../../var/run/httpd 
[root@centos65 ~]# 


Debian (and ubuntu/mint/...) use /etc/apache2. 


root@debian7:~# ls -1 /etc/apache2/ 


totall 72 

menmi root root 9659 May 6 14:23 apache2.conf 
drwxr-xr-x root root 4096 May 6 23219! "contd 
See root root 1465 Jan 31 18:35 envvars 

EW == ===> root root 31063 Jul 20 2013 magic 


AEW- XFX 
drwxr-xr-x 
aye ie 


root root 4096 May 6 13:19 mods-available 
root root 4096 May 6 13:19 mods-enabled 
root root 150 Jan 26512): iS ports. Conf 
diewsxe—x =x root root 4096 May 6 13:19 sites-available 
AEWRE- XE X root root 4096 May 6 13:19 sites-enabled 
root@debian7:~# 


BO NO E NN E ES NS E 
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1.2. port virtual hosts on Debian 


1.2.1. default virtual host 


Debian has a virtualhost configuration file for its default website in /etc/apache2/sites- 
available/default. 


root@debian7:~# head -2 /etc/apache2/sites-available/default 
<VirtualHost *:80> 
ServerAdmin webmaster@localhost 


1.2.2. three extra virtual hosts 


In this scenario we create three additional websites for three customers that share a clubhouse 
and want to jointly hire you. They are a model train club named Choo Choo, a chess club 
named Chess Club 42 and a hackerspace named hunter2. 


One way to put three websites on one web server, is to put each website on a different port. 
This screenshot shows three newly created virtual hosts, one for each customer. 


root@debian7:~# vi /etc/apache2/sites-available/choochoo 
root@debian7:~# cat /etc/apache2/sites-available/choochoo 
<VirtualHost *:7000> 

ServerAdmin webmaster@localhost 

DocumentRoot /var/www/choochoo 
</VirtualHost> 
root@debian7:~# vi /etc/apache2/sites-available/chessclub42 
root@debian7:~# cat /etc/apache2/sites-available/chessclub42 
<VirtualHost *:8000> 

ServerAdmin webmaster@localhost 

DocumentRoot /var/www/chessclub42 
</VirtualHost> 
root@debian7:~# vi /etc/apache2/sites-available/hunter2 
root@debian7:~# cat /etc/apache2/sites-available/hunter2 
<VirtualHost *:9000> 

ServerAdmin webmaster@localhost 

DocumentRoot /var/www/hunter2 
</VirtualHost> 


Notice the different port numbers 7000, 8000 and 9000. Notice also that we specified a 
unique DocumentRoot for each website. 


Are you using Ubuntu or Mint, then these configfiles need to end in .conf. 
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1.2.3. three extra ports 


We need to enable these three ports on apache in the ports.conf file. Open this file with vi 
and add three lines to listen on three extra ports. 


root@debian7:~# vi /etc/apache2/ports.conf 


Verify with grep that the Listen directives are added correctly. 


root@debian7:~# grep “Listen /etc/apache2/ports.conf 
Listen 80 

Listen 7000 

Listen 8000 

Listen 9000 


1.2.4. three extra websites 


Next we need to create three DocumentRoot directories. 


root@debian7:~# mkdir /var/www/choochoo 
root@debian7:~# mkdir /var/www/chessclub42 
root@debian7:~# mkdir /var/www/hunter2 


And we have to put some really simple website in those directories. 


root@debian7:~# echo 'Choo Choo model train Choo Choo' > /var/www/choochoo/inde\ 
senil 


root@debian7:~# echo 'Welcome to chess club 42' > /var/www/chessclub42/index.ht\ 
ml 


root@debian7:~# echo 'HaCkInG iS fUn At HuNtEr2' > /var/www/hunter2/index.html 
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1.2.5. enabling extra websites 


The last step is to enable the websites with the a2ensite command. This command will create 
links in sites-enabled. 


The links are not there yet... 


root@debian7:~# cd /etc/apache2/ 
root@debian7:/etc/apache2# ls sites-available/ 
chessclub42 choochoo default default-ssl  hunter2 
root@debian7:/etc/apache2# 1s sites-enabled/ 
000-default 


So we run the a2ensite command for all websites. 


root@debian7:/etc/apache2# a2ensite choochoo 

Enabling site choochoo. 

To activate the new configuration, you need to run: 
service apache2 reload 

root@debian7:/etc/apache2# a2ensite chessclub42 

Enabling site chessclub42. 

To activate the new configuration, you need to run: 
service apache2 reload 

root@debian7:/etc/apache2# a2ensite hunter2 

Enabling site hunter2. 

To activate the new configuration, you need to run: 
service apache2 reload 


The links are created, so we can tell apache. 


root@debian7:/etc/apache2# 1s sites-enabled/ 
000-default  chessclub42 choochoo hunter2 
root@debian7:/etc/apache2# service apache2 reload 
Reloading web server config: apache2. 
root@debian7:/etc/apache2# 
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1.2.6. testing the three websites 


Testing the model train club named Choo Choo on port 7000. 


root@debian7:/etc/apache2# wget 127.0.0.1:7000 
= 2014 05-06 21: T6703 http: 12130500 1: 7000 
Connecting to 127.0.0.1:7000... connected. 

HTTP request sent, awaiting response... 200 OK 
Length: 32 [text/html] 

Saving to: ‘index.html 


100%[ IS? = K/S in Os 


2014-05-06 21:16:03 (2.92 MB/s) - ‘index.html' saved [32/32] 


root@debian7:/etc/apache2# cat index.html 
Choo Choo model train Choo Choo 


Testing the chess club named Chess Club 42 on port 8000. 


root@debian7:/etc/apache2# wget 127.0.0.1:8000 
= 20M 955 Alissa —— ima APT AO OMS DUO 
Connecting to 127.0.0.1:8000... connected. 

HTTP request sent, awaiting response... 200 OK 
Length: 25 [text/html] 

Saving to: 'index.html.1' 


100%[ >] 25 --.-K/s in Os 


2014-05-06 21:16:20 (2.16 MB/s) - 'index.html.1' saved [25/25] 


root@debian7:/etc/apache2# cat index.html.1 
Welcome to chess club 42 


Testing the hacker club named hunter2 on port 9000. 


root@debian7:/etc/apache2# wget 127.0.0.1:9000 
AOI —O5—0G 21153 s —— Jeter] / 7152 7 0.0. 1500007 
Connecting to 127.0.0.1:9000... connected. 

HTTP request sent, awaiting response... 200 OK 
Length: 26 [text/html] 

Saving Co: index.html. 29 


100%[ >] 26 --.-K/s in Os 
2014-05-06 21:16:30 (2.01 MB/s) - ^index.html.2' saved [26/26] 


root@debian7:/etc/apache2# cat index.html.2 
HaCkInG iS fUn At HuNtEr2 


Cleaning up the temporary files. 


root@debian7:/etc/apache2# rm index.html index.html.1 index.html.2 


Try testing from another computer using the ip-address of your server. 
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1.3. named virtual hosts on Debian 


1.3.1. named virtual hosts 


The chess club and the model train club find the port numbers too hard to remember. They 
would prefere to have their website accessible by name. 


We continue work on the same server that has three websites on three ports. We need to 
make sure those websites are accesible using the names choochoo.local, chessclub42.local 
and hunter2.local. 


We start by creating three new virtualhosts. 


root@debian7:/etc/apache2/sites-available# vi choochoo.local 
root@debian7:/etc/apache2/sites-available# vi chessclub42.local 
root@debian7:/etc/apache2/sites-available# vi hunter2.local 
root@debian7:/etc/apache2/sites-available# cat choochoo.local 
<VirtualHost *:80> 

ServerAdmin webmaster@localhost 

ServerName choochoo.local 

DocumentRoot /var/www/choochoo 

</VirtualHost> 

root@debian7:/etc/apache2/sites-available# cat chessclub42.local 
<VirtualHost *:80> 

ServerAdmin webmaster@localhost 

ServerName chessclub42.local 

DocumentRoot /var/www/chessclub42 

</VirtualHost> 

root@debian7:/etc/apache2/sites-available# cat hunter2.local 
<VirtualHost *:80> 

ServerAdmin webmaster@localhost 

ServerName hunter2.local 

DocumentRoot /var/www/hunter2 

</VirtualHost> 

root@debian7:/etc/apache2/sites-available# 


Notice that they all listen on port 80 and have an extra ServerName directive. 
1.3.2. name resolution 


We need some way to resolve names. This can be done with DNS, which is discussed in 
another chapter. For this demo it is also possible to quickly add the three names to the /etc/ 
hosts file. 


root@debian7:/etc/apache2/sites-available# grep “192 /etc/hosts 
192.168.42.50 choochoo.local 

192.168.42.50 chessclub42.local 

192.168.42.50 hunter2.local 


Note that you may have another ip address... 
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1.3.3. enabling virtual hosts 


Next we enable them with a2ensite. 


root@debian7:/etc/apache2/sites-available# a2ensite choochoo.local 
Enabling site choochoo.local. 
To activate the new configuration, you need to run: 

service apache2 reload 
root@debian7:/etc/apache2/sites-available# a2ensite chessclub42.local 
Enabling site chessclub42.local. 
To activate the new configuration, you need to run: 

service apache2 reload 
root@debian7:/etc/apache2/sites-available# a2ensite hunter2.local 
Enabling site hunter2.local. 
To activate the new configuration, you need to run: 

service apache2 reload 


1.3.4. reload and verify 


After a service apache2 reload the websites should be available by name. 


root@debian7:/etc/apache2/sites-available# service apache2 reload 


Reloading web server config: apache2. 
root8debian7:/etc/apache2/sites-availablef wget chessclub42.local 

--2014-05-06 21:37:13-- http://chessclub42.local/ 

Resolving chessclub42.local (chessclub42.10cal)... 192.168.42.50 

Connecting to chessclub42.local (chessclub42.local) |192.168.42.50|:80... conne\ 
cted. 

HTTP request sent, awaiting response... 200 OK 

Length: 25 [text/html] 

Saving to: ‘index.html 

100%[ >] 25 --.-K/s in Os 
2011505706 21k 37: 13 016. MB/S) = index.html saved 25/25] 


root@debian7:/etc/apache2/sites-available# cat index.html 
Welcome to chess club 42 
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1.4. password protected website on Debian 


You can secure files and directories in your website with a .htaccess file that refers to a 
-htpasswd file. The htpasswd command can create a .htpasswd file that contains a userid 
and an (encrypted) password. 


This screenshot creates a user and password for the hacker named cliff and uses the -c flag 
to create the .htpasswd file. 


root@debian7:~# htpasswd -c /var/www/.htpasswd cliff 
New password: 

Re-type new password: 

Adding password for user cliff 

root@debian7:~# cat /var/www/.htpasswd 
cliff:$aprli$vujllOKL$./SZ4w9q0swhX93pQOPVp. 


Hacker rob also wants access, this screenshot shows how to add a second user and password 
to .htpasswd. 


root@debian7:~# htpasswd /var/www/.htpasswd rob 
New password: 

Re-type new password: 

Adding password for user rob 

root@debian7:~# cat /var/www/.htpasswd 
cliff:$aprl$vujllOKL$./SZ4w9g0swhX93pQOPVp. 
rob:$aprl$HNlnlFFt$nRlpFOH.IW11/1DRq410Qo0 


Both Cliff and Rob chose the same password (hunter2), but that is not visible in the 
-htpasswd file because of the different salts. 


Next we need to create a .htaccess file in the DocumentRoot of the website we want to 
protect. This screenshot shows an example. 


root@debian7:~# cd /var/www/hunter2/ 
root@debian7:/var/www/hunter2# cat .htaccess 
AuthUserFile /var/www/.htpasswd 

AuthName "Members only!" 

AuthType Basic 

require valid-user 


Note that we are protecting the website on port 9000 that we created earlier. 


And because we put the website for the Hackerspace named hunter2 in a subdirectory of the 
default website, we will need to adjust the AllowOvveride parameter in /etc/apache2/sites- 
available/default as this screenshot shows (with line numbers on Debian7, your may vary). 


9 «Directory /var/www/» 

10) Options Indexes FollowSymLinks MultiViews 
TE AllowOverride Authconfig 

12 Order allow,deny 

ILS) allow from all 

14 «/Directory 


Now restart the apache2 server and test that it works! 
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1.5. port virtual hosts on CentOS 


1.5.1. default virtual host 


Unlike Debian, CentOS has no virtualHost configuration file for its default website. Instead 
the default configuration will throw a standard error page when no index file can be found 
in the default location (/var/www/html). 


1.5.2. three extra virtual hosts 


Inthis scenario we create three additional websites for three customers that share a clubhouse 
and want to jointly hire you. They are a model train club named Choo Choo, a chess club 
named Chess Club 42 and a hackerspace named hunter2. 


One way to put three websites on one web server, is to put each website on a different port. 
This screenshot shows three newly created virtual hosts, one for each customer. 


[root@CentOS65 ~]# vi /etc/httpd/conf.d/choochoo.conf 
[root@CentOS65 ~]# cat /etc/httpd/conf.d/choochoo.conf 
<VirtualHost *:7000» 

ServerAdmin webmaster@localhost 

DocumentRoot /var/www/html/choochoo 
«/VirtualHost» 
[root@CentOS65 ~]# vi /etc/httpd/conf.d/chessclub42.conf 
[root@CentOS65 ~]# cat /etc/httpd/conf.d/chessclub42.conf 
«VirtualHost *:8000» 

ServerAdmin webmaster@localhost 

DocumentRoot /var/www/html/chessclub42 
«/VirtualHost» 
[root@CentOS65 ~]# vi /etc/httpd/conf.d/hunter2.conf 
[root@CentOS65 ~]# cat /etc/httpd/conf.d/hunter2.conf 
<VirtualHost *:9000> 

ServerAdmin webmaster@localhost 

DocumentRoot /var/www/html/hunter2 
</VirtualHost> 


Notice the different port numbers 7000, 8000 and 9000. Notice also that we specified a 
unique DocumentRoot for each website. 


1.5.3. three extra ports 


We need to enable these three ports on apache in the httpd.conf file. 


[root@CentOS65 ~]# vi /etc/httpd/conf/httpd. conf 
root@debian7:~# grep “Listen /etc/httpd/conf/httpd.conf 
Listen 80 

Listen 7000 

Listen 8000 

Listen 9000 
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1.5.4. SELinux guards our ports 


If we try to restart our server, we will notice the following error: 


[root@CentOS65 ~]# service httpd restart 
Stopping httpd: Lue. || 
Starting httpd: 
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:7000 
no listening sockets available, shutting down 
[FAILED] 


This is due to SELinux reserving ports 7000 and 8000 for other uses. We need to tell SELinux 
we want to use these ports for http traffic 


[root@CentOS65 ~] # semanage port -m -t http port t -p tcp 7000 
[root@CentOS65 ~] # semanage port -m -t http port t -p tcp 8000 
[root@CentOS65 ~]# service httpd restart 

Stopping httpd: [ OK J 
Starting httpd: L OR. 4 


1.5.5. three extra websites 


Next we need to create three DocumentRoot directories. 


[root@CentOS65 ~]# mkdir /var/www/html/choochoo 
[root@CentOS65 ~]# mkdir /var/www/html/chessclub42 
[root@CentOS65 ~]# mkdir /var/www/html/hunter2 


And we have to put some really simple website in those directories. 


[root@CentOS65 ~]# echo 'Choo Choo model train Choo Choo' > /var/www/html/chooc\ 
hoo/index.html 

[root@CentOS65 ~]# echo 'Welcome to chess club 42' > /var/www/html/chessclub42/N 
index.html 

[root@CentOS65 ~]# echo 'HaCkInG iS fUn At HuNtEr2' > /var/www/html/hunter2/ind\ 
ex.html 


1.5.6. enabling extra websites 


The only way to enable or disable configurations in RHEL/CentOS is by renaming or 
moving the configuration files. Any file in /etc/httpd/conf.d ending on .conf will be loaded 
by Apache. To disable a site we can either rename the file or move it to another directory. 


The files are created, so we can tell apache. 
[root@CentOS65 ~]# ls /etc/httpd/conf.d/ 
chessclub42.conf  choochoo.conf hunter2.conf README welcome.conf 


[root@CentOS65 ~]# service httpd reload 
Reloading httpd: 
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1.5.7. testing the three websites 


Testing the model train club named Choo Choo on port 7000. 


[root@CentOS65 ~]# wget 127.0.0.1:7000 
AMEN MARS mijas 12130006 Le 70010 


Connecting to 127.0.0.1:7000... connected. 

HTTP request sent, awaiting response... 200 OK 

Length: 32 [text/html] 

Saving to: 'index.html' 

100$[ e 32 celi e in Os 
2014-05-11 11:59:36 (4.47 MB/s) - ‘index.html' saved [32/32] 


[root@CentOS65 ~]# cat index.html 
Choo Choo model train Choo Choo 


Testing the chess club named Chess Club 42 on port 8000. 


[root@CentOS65 ~]# wget 127.0.0.1:8000 
Aaa EZ SEE etes 127 0,0. 1280007 
Connecting to 127.0.0.1:8000... connected. 

HTTP request sent, awaiting response... 200 OK 
Lengths 25 text/html] 

Saving to: “index.html.1' 


100%[ >] 25 --.-K/s in Os 


2014-05-11 12:01:30 (4.25 MB/s) - ^"index.html.1' saved [25/25] 


root@debian7:/etc/apache2# cat index.html.1 
Welcome to chess club 42 


Testing the hacker club named hunter2 on port 9000. 


[root@CentOS65 ~]# wget 127.0.0.1:9000 
OA OS SEgIG(IA nig degere B7 1E 2 Ts O 01290007 
Connecting to 127.0.0.1:9000... connected. 

HTTP request sent, awaiting response... 200 OK 
Length: 26 [text/html] 

Saving Co: index.html. 29 


100%[ >] 26 --.-K/s in Os 
2014-05-11 12:02:37 (4.49 MB/s) - ‘index.html.2' saved [26/26] 


root@debian7:/etc/apache2# cat index.html.2 
HaCkInG iS fUn At HuNtEr2 


Cleaning up the temporary files. 


[root@CentOS65 ~]# rm index.html index.html.1 index.html.2 
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1.5.8. firewall rules 


If we attempt to access the site from another machine however, we will not be able to view the 
website yet. The firewall is blocking incoming connections. We need to open these incoming 


ports first 


[root@CentOS65 ~]# iptables 
[root@CentOS65 ~]# iptables 
[root@CentOS65 ~]# iptables 
[root@CentOS65 ~]# iptables 


And if we want these rules to remain active after a reboot, 


INPUT 
INPUT 
INPUT 
INPUT 


=e) ECP dport 
-p tep -dport 
9 ies) -APO rE 
-p tep dport 


[root@CentOS65 ~]# service iptables save 
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] 
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80 -j ACCEPT 
7000 -j ACCEPT 
8000 -j ACCEPT 
9000 -j ACCEPT 


we need to save them 
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1.6. named virtual hosts on CentOS 


1.6.1. named virtual hosts 


The chess club and the model train club find the port numbers too hard to remember. They 
would prefere to have their website accessible by name. 


We continue work on the same server that has three websites on three ports. We need to 
make sure those websites are accesible using the names choochoo.local, chessclub42.local 
and hunter2.local. 


First, we need to enable named virtual hosts in the configuration 


[root@CentOS65 ~]# vi /etc/httpd/conf/httpd.conf 

[root@CentOS65 ~]# grep “NameVirtualHost /etc/httpd/conf/httpd.conf 
NameVirtualHost *:80 

[root@CentOS65 ~]# 


Next we need to create three new virtualhosts. 


root@CentOS65 ~]# vi /etc/httpd/conf.d/choochoo.local.conf 
root@CentOS65 -]# vi /etc/httpd/conf.d/chessclub42.local.conf 
root@CentOS65 -]# vi /etc/httpd/conf.d/hunter2.10cal.conf 
root@CentOS65 ~]# cat /etc/httpd/conf.d/choochoo.local.conf 
<VirtualHost *:80> 

ServerAdmin webmaster@localhost 

ServerName choochoo.local 

DocumentRoot /var/www/html/choochoo 

</VirtualHost> 

[root@CentOS65 ~]# cat /etc/httpd/conf.d/chessclub42.10cal.conf 
<VirtualHost *:80> 

ServerAdmin webmaster@localhost 

ServerName chessclub42.local 

DocumentRoot /var/www/html/chessclub42 
</VirtualHost> 

[root@CentOS65 ~]# cat /etc/httpd/conf.d/hunter2.10cal.conf 
<VirtualHost *:80> 

ServerAdmin webmaster@localhost 

ServerName hunter2.local 

DocumentRoot /var/www/html/hunter2 

</VirtualHost> 

[root@CentOS65 ~]# 


[ 
[ 
[ 
[ 


Notice that they all listen on port 80 and have an extra ServerName directive. 
1.6.2. name resolution 


We need some way to resolve names. This can be done with DNS, which is discussed in 
another chapter. For this demo it is also possible to quickly add the three names to the /etc/ 
hosts file. 

[root@CentOS65 ~]# grep ^192 /etc/hosts 

OD Weer 1.225 Choochoo. local 


192.168.1.225 chessclub42.local 
1927 168717225 hunters logal 


Note that you may have another ip address... 


22 


apache web server 


1.6.3. reload and verify 


After a service httpd reload the websites should be available by name. 


[root@CentOS65 ~]# service httpd reload 

Reloading httpd: 

[root@CentOS65 ~]# wget chessclub42.local 

ON SOS 165°: EE /chesselub42. local 


Resolving chessclub42.local... 192.168.1.225 
Connecting to chessclub42.10cal|192.168.1.225|:80... connected. 
HTTP request sent, awaiting response... 200 OK 


Length: 25 [text/html] 
Saving to: áindex.htmlá 


100%[ >] 25 --.-K/s aa S 


2014-05-25 16:59:15 (1014 KB/s) = “index.html' saved [25/25] 


[root@CentOS65 ~]# cat index.html 
Welcome to chess club 42 
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1.7. password protected website on CentOS 


You can secure files and directories in your website with a .htaccess file that refers to a 
-htpasswd file. The htpasswd command can create a .htpasswd file that contains a userid 
and an (encrypted) password. 


This screenshot creates a user and password for the hacker named cliff and uses the -c flag 
to create the .htpasswd file. 


[root@CentOS65 ~]# htpasswd -c /var/www/.htpasswd cliff 
New password: 

Re-type new password: 

Adding password for user cliff 

[root@CentOS65 ~]# cat /var/www/.htpasswd 
cliff:ONwTrymMLBctU 


Hacker rob also wants access, this screenshot shows how to add a second user and password 
to .htpasswd. 


[root@CentOS65 ~]# htpasswd /var/www/.htpasswd rob 
New password: 

Re-type new password: 

Adding password for user rob 

[root@CentOS65 ~]# cat /var/www/.htpasswd 
cliff:ONwTrymMLBCtU 

rob:EC2vOCcrMXDoM 

[root@CentOS65 ~]# 


Both Cliff and Rob chose the same password (hunter2), but that is not visible in the 
-htpasswd file because of the different salts. 


Next we need to create a .htaccess file in the DocumentRoot of the website we want to 
protect. This screenshot shows an example. 


[root@CentOS65 -]# cat /var/www/html/hunter2/.htaccess 
AuthUserFile /var/www/.htpasswd 

AuthName "Members only!" 

AuthType Basic 

require valid-user 


Note that we are protecting the website on port 9000 that we created earlier. 


And because we put the website for the Hackerspace named hunter2 in a subdirectory of the 
default website, we will need to adjust the AllowOvveride parameter in /etc/httpd/conf/ 
httpd.conf under the «Directory "/var/www/html''5 directive as this screenshot shows. 
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[root@CentOS65 ~]# vi /etc/httpd/conf/httpd.conf 


«Directory "/var/www/html"> 


dE dE db db de dE JE db db dE dE Se 


dE + db b od 


Possible values for the Options directive are "None", "All", 
or any combination of: 
Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews 


Note that "MultiViews" must be named *explicitly* --- "Options All" 
doesn't give it to you. 


The Options directive is both complicated and important. Please see 
http://httpd.apache.org/docs/2.2/mod/core.html#options 
for more information. 

Options Indexes FollowSymLinks 
AllowOverride controls what directives may be placed in .htaccess files. 
It can be "All", "None", or any combination of the keywords: 


Options FileInfo AuthConfig Limit 


AllowOverride Authconfig 


Controls who can get stuff from this server. 


Order allow, deny 
Allow from all 


</Directory> 


Now restart the apache2 server and test that it works! 
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1.8. troubleshooting apache 


When apache restarts, it will verify the syntax of files in the configuration folder /etc/ 
apache2 on debian or /etc/httpd on CentOS and it will tell you the name of the faulty file, 
the line number and an explanation of the error. 


root@debian7:~# service apache2 restart 
apache2: Syntax error on line 268 of /etc/apache2/apache2.conf: Syntax error ol 
n line 1 of /etc/apache2/sites-enabled/chessclub42: /etc/apache2/sites-enabled\ 
/chessclub42:4: <VirtualHost> was not closed. Mn/etc/apache2/sites-enabled/chesV 
Sclub42:1: <VirtualHost> was not closed. 
Action 'configtest' failed. 
The Apache error log may have more information. 

failed! 


Below you see the problem... a missing / before on line 4. 


root@debian7:~# cat /etc/apache2/sites-available/chessclub42 
<VirtualHost *:8000» 

ServerAdmin webmaster@localhost 

DocumentRoot /var/www/chessclub42 
<VirtualHost> 


Let us force another error by renaming the directory of one of our websites: 


root@debian7:~# mv /var/www/choochoo/ /var/www/chooshoo 
root@debian7:~# !ser 
service apache2 restart 
Restarting web server: apache2Warning: DocumentRoot [/var/www/choochoo] does n\ 
ot exist 
Warning: DocumentRoot [/var/www/choochoo] does not exist 
waiting Warning: DocumentRoot [/var/www/choochoo] does not exist 
Warning: DocumentRoot [/var/www/choochoo] does not exist 


As you can see, apache will tell you exactly what is wrong. 


You can also troubleshoot by connecting to the website via a browser and then checking the 
apache log files in /var/log/apache. 
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1.9. virtual hosts example 


Below is a sample virtual host configuration. This virtual hosts overrules the default Apache 
ErrorDocument directive. 


<VirtualHost 83.217.76.245 780> 
ServerName cobbaut.be 
ServerAlias www.cobbaut.be 
DocumentRoot /home/paul/public html 
ErrorLog /home/paul/logs/error log 
CustomLog /home/paul/logs/access log common 
ScriptAlias /cgi-bin/ /home/paul/cgi-bin/ 
«Directory /home/paul/public html» 
Options Indexes IncludesNOEXEC FollowSymLinks 
allow from all 
«/Directory» 
ErrorDocument 404 http://www.cobbaut.be/cobbaut.php 
«/VirtualHost» 


1.10. aliases and redirects 


Apache supports aliases for directories, like this example shows. 


Alias /paul/ "/home/paul/public_html/" 


Similarly, content can be redirected to another website or web server. 


Redirect permanent /foo http://www.foo.com/bar 


1.11. more on .htaccess 


You can do much more with .htaccess. One example is to use .htaccess to prevent people 
from certain domains to access your website. Like in this case, where a number of referer 
spammers are blocked from the website. 


paul@lounge:~/cobbaut.be$ cat .htaccess 
# Options +FollowSymlinks 
RewriteEngine On 


RewriteCond $(HTTP REFERER) ^http://(wwwN.)?buy-adipex.fw.nu.*$ [OR] 
RewriteCond %{HTTP_REFERER} ^http://(wwwN.)?buy-levitra.asso.ws.*$ [NC,OR] 
RewriteCond $(HTTP REFERER) ^http://(wwwN.)?buy-tramadol.fw.nu.*$ [NC,OR] 
RewriteCond %{HTTP_REFERER} ^http://(wwwN.)?buy-viagra.lookin.at.*$ [NC,OR] 


RewriteCond %{HTTP_REFERER} “http:// (www\.) ?www.healthinsurancehelp.net.*$ [NC] 
RewriteRule .* - [F,L] 
paul@lounge:~/cobbaut .be$ 


1.12. traffic 


Apache keeps a log of all visitors. The webalizer is often used to parse this log into nice 
html statistics. 
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1.13. self signed cert on Debian 


Below is a very quick guide on setting up Apache2 on Debian 7 with a self-signed certificate. 


Chances are these packages are already installed. 


root@debian7:~# aptitude install apache2 openssl 

No packages will be installed, upgraded, or removed. 

0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 
Need to get 0 B of archives. After unpacking 0 B will be used. 


Create a directory to store the certs, and use openssl to create a self signed cert that is valid 
for 999 days. 


root@debian7:~# mkdir /etc/ssl/localcerts 

root@debian7:~# openssl req -new -x509 -days 999 -nodes -out /etc/ssl/local\ 
certs/apache.pem -keyout /etc/ssl/localcerts/apache.key 

Generating a 2048 bit RSA private key 


writing new private key to '/etc/ssl/localcerts/apache.key' 

You are about to be asked to enter information that will be incorporated 
into your certificate request. 

What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 

For some fields there will be a default value, 

If you enter '.', the field will be left blank. 

Country Name (2 letter code) [AU]:BE 

State or Province Name (full name) [Some-State]:Antwerp 

Locality Name (eg, city) []:Antwerp 

Organization Name (eg, company) [Internet Widgits Pty Ltd]:linux-training.be 
Organizational Unit Name (eg, section) []: 

Common Name (e.g. server FODN or YOUR name) []:Paul 

Email Address []: 


A little security never hurt anyone. 


root@debian7:~# ls -1 /etc/ssl/localcerts/ 
total 8 
-rw-r--r-- 1 root root 1704 Sep 16 18:24 apache.key 
-rw-r--r-- 1 root root 1302 Sep 16 18:24 apache.pem 
root@debian7:~# chmod 600 /etc/ssl/localcerts/* 
root@debian7:~# ls -1 /etc/ssl/localcerts/ 


total g 
SEW ===== 1 root root 1704 Sep 16 18:24 apache.key 
N ======= 1 root root 1302 Sep 16 18:24 apache.pem 


Enable the apache ssl mod. 


root@debian7:~# a2enmod ssl 
Enabling module ssl. 
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL\ 
and create self-signed certificates. 
To activate the new configuration, you need to run: 
service apache2 restart 


Create the website configuration. 


root@debian7:~# vi /etc/apache2/sites-available/choochoos 
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root@debian7:~# cat /etc/apache2/sites-available/choochoos 
<VirtualHost =:7000> 
ServerAdmin webmaster@localhost 
DocumentRoot /var/www/choochoos 
SSLEngine On 
SSLCertificateFile /etc/ssl/localcerts/apache.pem 
SSLCertificateKeyFile /etc/ssl/localcerts/apache.key 
</VirtualHost> 
root@debian7:-# 


And create the website itself. 


root@debian7:/var/www/choochoos# vi index.html 
root@debian7:/var/www/choochoos# cat index.html 
Choo Choo HTTPS secured model train Choo Choo 


Enable the website and restart (or reload) apache2. 


root@debian7:/var/www/choochoos# a2ensite choochoos 

Enabling site choochoos. 

To activate the new configuration, you need to run: 
service apache2 reload 

root@debian7:/var/www/choochoos# service apache2 restart 

Restarting web server: apache2 ... waiting 


Chances are your browser will warn you about the self signed certificate. 


€ Untrusted Connection - Iceweasel "Ux 
File Edit View History Bookmarks Tools Help 
e https://192.168.1.112:7000 v @| |Ev DuckDuckGo aixyataQ-= 


| A Untrusted Connection x | db | 


This Connection is Untrusted 


You have asked Iceweasel to connect securely to 192.168.1.112:7000, but we can't confirm 
that your connection is secure. 


Normally, when you try to connect securely, sites will present trusted identification to prove 
that you are going to the right place. However, this site's identity can't be verified. 


What Should I Do? 


If you usually connect to this site without problems, this error could mean that someone is 
trying to impersonate the site, and you shouldn't continue. 


Get me out of here! 
Technical Details 
192.168.1.112:7000 uses an invalid security certificate. 


The certificate is not trusted because it is self-signed. 
The certificate is only valid for Paul 


(Error code: sec error unknown issuer) 


» | Understand the Risks 
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1.14. self signed cert on RHEL/CentOS 


Below is a quick way to create a self signed cert for https on RHEL/CentOS. You may need 
these packages: 


[root@paulserver ~]# yum install httpd openssl mod ssl 
Loaded plugins: fastestmirror 
Loading mirror speeds from cached hostfile 

* base: ftp.belnet.be 

* extras: ftp.belnet.be 

* updates: mirrors.vooservers.com 
base | 357. tae 00:00 
Setting up Install Process 
Package httpd-2.2.15-31.e16.centos.x86_64 already installed and latest version 
Package openssl-1.0.1e-16.e16 5.15.x86 64 already installed and latest version 
Package 1:mod ssl-2.2.15-31.e16.centos.x86 64 already ins... and latest version 
Nothing to do 


We use openssl to create the certificate. 


[root@paulserver ~]# mkdir certs 

[root@paulserver ~]# cd certs 

[root@paulserver certs]# openssl genrsa -out ca.key 2048 
Generating RSA private key, 2048 bit long modulus 


e is 65537 (0x10001) 

[root@paulserver certs]# openssl req -new -key ca.key -out ca.csr 

You are about to be asked to enter information that will be incorporated 
into your certificate request. 

What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 

For some fields there will be a default value, 

If you enter '.', the field will be left blank. 

Country Name (2 letter code) [XX]:BE 

State or Province Name (full name) []:antwerp 

Locality Name (eg, city) [Default City]:antwerp 

Organization Name (eg, company) [Default Company Ltd]:antwerp 
Organizational Unit Name (eg, section) []: 

Common Name (eg, your name or your server's hostname) []:paulserver 
Email Address []: 


Please enter the following 'extra' attributes 

to be sent with your certificate request 

A challenge password []: 

An optional company name []: 

[root@paulserver certs]# openssl x509 -req -days 365 -in ca.csr -signkey ca.ke\ 
Y -out eca.crt 

Signature ok 

subject-/C-BE/ST-antwerp/L-antwerp/O-antwerp/CN-paulserver 

Getting Private key 


We copy the keys to the right location (You may be missing SELinux info here). 


[root@paulserver certs]# cp ca.crt /etc/pki/tls/certs/ 
[root@paulserver certs]# cp ca.key ca.csr /etc/pki/tls/private/ 


We add the location of our keys to this file, and also add the NameVirtualHost *:443 
directive. 


[root@paulserver certs]# vi /etc/httpd/conf.d/ssl.conf 
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[root@paulserver certs]# grep ^SSLCerti /etc/httpd/conf.d/ssl.conf 
SSEGeritricater Mier /chc/ pki tls/cernts/ ca crt 
SSLCertificateKeyFile /etc/pki/tls/private/ca.key 


Create a website configuration. 


[root@paulserver certs]# vi /etc/httpd/conf.d/choochoos.conf 
[root@paulserver certs]# cat /etc/httpd/conf.d/choochoos.conf 
<VirtualHost *:443> 
SSLEngine on 
SSLCertificateFile /etc/pki/tls/certs/ca.crt 
SSLCertificateKeyFile /etc/pki/tls/private/ca.key 
DocumentRoot /var/www/choochoos 
ServerName paulserver 
</VirtualHost> 
[root@paulserver certs] # 


Create a simple website and restart apache. 


[root@paulserver certs]# mkdir /var/www/choochoos 
[root@paulserver certs]# echo HTTPS model train choochoos > /var/www/choochoos/\ 


index.html 

[root@paulserver httpd]# service httpd restart 
Stopping httpd: 

Starting httpd: 


And your browser will probably warn you that this certificate is self signed. 


e Untrusted Connection - Iceweasel + laos 


le Edit View History Bookmarks Tools Help 
€ b https://192.168.1.101 v Œ@||{ iY DuckDuckGo ad 56 + 40 


m 


| 4 Untrusted Connection x | db | 


This Connection is Untrusted 


You have asked Iceweasel to connect securely to 192.168.1.101, but we can't confirm that 
your connection is secure. 


Normally, when you try to connect securely, sites will present trusted identification to prove 
that you are going to the right place. However, this site's identity can't be verified. 


What Should I Do? 


If you usually connect to this site without problems, this error could mean that someone is 
trying to impersonate the site, and you shouldn't continue. 


Get me out of here! 
* Technical Details 
192.168.1.101 uses an invalid security certificate. 


The certificate is not trusted because it is self-signed. 
The certificate is only valid for paulserver 


(Error code: sec error unknown issuer) 


» | Understand the Risks 
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1.15. practice: apache 


1. Verify that Apache is installed and running. 
2. Browse to the Apache HTML manual. 
3. Create three virtual hosts that listen on ports 8472, 31337 and 1201. Test that it all works. 


4. Create three named virtual hosts startrek.local, starwars.local and stargate.local. Test that 
it all works. 


5. Create a virtual hosts that listens on another ip-address. 


6. Protect one of your websites with a user/password combo. 
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2.1. about proxy servers 


2.1.1. usage 


A proxy server is a server that caches the internet. Clients connect to the proxy server with 
a request for an internet server. The proxy server will connect to the internet server on behalf 
of the client. The proxy server will also cache the pages retrieved from the internet server. 
A proxy server may provide pages from his cache to a client, instead of connecting to the 
internet server to retrieve the (same) pages. 


A proxy server has two main advantages. It improves web surfing speed when returning 
cached data to clients, and it reduces the required bandwidth (cost) to the internet. 


Smaller organizations sometimes put the proxy server on the same physical computer that 
serves as a NAT to the internet. In larger organizations, the proxy server is one of many 
servers in the DMZ. 


When web traffic passes via a proxy server, it is common practice to configure the proxy 
with extra settings for access control. Access control in a proxy server can mean user account 
access, but also website(url), ip-address or dns restrictions. 


2.1.2. open proxy servers 


You can find lists of open proxy servers on the internet that enable you to surf anonymously. 
This works when the proxy server connects on your behalf to a website, without logging 
your ip-address. But be careful, these (listed) open proxy servers could be created in order 
to eavesdrop upon their users. 


2.1.3. squid 


This module is an introduction to the squid proxy server (http://www.squid-cache.org). We 
will first configure squid as a normal proxy server. 
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2.2. installing squid 


This screenshot shows how to install squid on Debian with aptitude. Use yum if you are 
on Red Hat/CentOS. 


root@debian7:~# aptitude install squid 
The following NEW packages will be installed: 
squid squid-common{a} squid-langpack(a) 
0 packages upgraded, 3 newly installed, 0 to remove and 0 not upgraded. 
Need to get 1,513 kB of archives. After unpacking 4,540 kB will be used. 
Do you want to continue? [Y/n/?] 
...Output truncated... 
Setting up squid-langpack (20120616-1) 
Setting up squid-common (2.7.STABLE9-4.1) 
Setting up squid (2.7.STABLE9-4.1) 
Creating squid spool directory structure 
2014/08/01 15:19:31] Creating Swap Directories 
Restarting Squid HTTP proxy: squid. 


squid's main configuration file is /etc/squid/squid.conf. The file explains every parameter 
in great detail. 


root@debian7:~# wc -1 /etc/squid/squid.conf 
4948 /etc/squid/squid.conf 


2.3. port 3128 


By default the squid proxy server will Isiten to port 3128. 


root@debian7:~# grep ^http port /etc/squid/squid.conf 
bttpsport 5128 
root @debian7:~# 


2.4. starting and stopping 


You can manage squid with the standard service command as shown in this screenshot. 


root@debian7:~# service squid start 
Starting Squid HTTP proxy: squid. 
root@debian7:~# service squid restart 
Restarting Squid HTTP proxy: squid. 
root@debian7:~# service squid status 
squid is running. 

root@debian7:~# service squid stop 
Stopping Squid HTTP proxy: squid. 
root@debian7:-# 
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2.5. client proxy settings 


To enable a proxy server in Firefox or Iceweasel go to Edit Preferences and configure as 
shown in this screenshot (replace 192.168.1.60 with the ip address of your proxy server). 


Connection Settings ar [uj 

Configure Proxies to Access the Internet 
No proxy 
Auto-detect proxy settings for this network 
Use system proxy settings 

* Manual proxy configuration: 


HTTP Proxy: | 192.168.1.60 Port: 3128 . 


No Proxy for: 
localhost, 127.0.0.1 


Example: .mozilla.org, .net.nz, 192.168.1.0/24 
Automatic proxy configuration URL: 


FA p 
i Reload 
Do not prompt for authentication if password is saved 
©| Help [X] Cancel “ox 


Test that your internet works with the proxy enabled. Also test that after a service squid 
stop command on your proxy server that you get a message similar to this schreenshot. 


g Problem loading page - Iceweasel *. 0X 
File Edit View History Bookmarks Tools Help 
linux-training.be 


v (|| DuckDuckG a Ys Ja Or = 
| 4, Problem loading page | + | 


A The proxy server is refusing connections 


Iceweasel is configured to use a proxy server that is refusing 
connections. 


= Check the proxy settings to make sure that they are correct. 


= Contact your network administrator to make sure the proxy server is 
working. 


Try Again 
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To enable a proxy server with Google Chrome (or Debian Chromium) start the program 
from the command line like this: 


paul@debian7:~$ chromium --proxy-server-'192.168.1.60:3128' 


Disabling the proxy with service squid stop should result in an error message similar to 
this screenshot. 


& http://linux-training.b x V. 1 
€ Q fi Llinux-training.be 
== Apps © Debian.org © Latest News © Help New folder 


Unable to connect to the proxy server 


More | 
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2.6. upside down images 


A proxy server sits inbetween your browser and the internet. So besides caching of internet 
data (the original function of a proxy server) and besides firewall like restrictions based on 
WW content, a proxy server is in the perfect position to alter the webpages that you visit. 


You could for instance change the advertising on a webpage (or remove certain advertisers), 
or like we do in this example; change all images so they are upside down. 


The server needs command line tools to manipulate images and a perl script that uses these 
tools (and wget to download the images locally and serve them with apache2). In this 
example we use imagemagick (which provides tools like convert and mogrify). 


root@debian7:~# aptitude install imagemagick wget perl apache2 
...Output truncated... 

root@debian7:~# dpkg -S $(readlink -f $(which mogrify)) 
imagemagick: /usr/bin/mogrify.im6 

root@debian7:~# 


The perl script that is shown in the screenshot below can be found on several websites, yet 
I have not found the original author. It is however a very simple script that uses wget and 
mogrify to download images (.jpg .gif and .png), flip them and store them in /var/www/ 
images. 


root@debian7:~# cat /usr/local/bin/flip.pl 
#!/usr/bin/perl 
$|=1; 
SIG OUT 
Spid = $$; 
while (<>) { 
chomp s 
aie ee E (NG A al 
Sum = 51 
system("/usr/bin/wget", "-q", "-O","/var/www/images/$pid-$count.jpg", "Surl"); 
system("/usr/bin/mogrify", "-flip","/var/www/images/S$pid-$count.jpg"); 
print "http://127.0.0.1/images/$pid-$count. jpg Wn"; 
} 
elsif (S =~ esegue 
Su = $1; 
system("/usr/bin/wget", "-q", "-O","/var/www/images/$pid-$count.gif", "Surl"); 
system("/usr/bin/mogrify", "-flip","/var/www/images/$pid-$count.gif"); 
print "http://127.0.0.1/images/$pid-$count.gif\n"; 
} 
elsif ($_ =~ /(.*\.png)/i) { 
Surl = $1; 
system("/usr/bin/wget", "-q", "-O","/var/www/images/$pid-$count.png", "Surl"); 
system("/usr/bin/mogrify", "-flip","/var/www/images/S$pid-$count.png"); 
print "http://127.0.0.1/images/$pid-$count.png Mn"; 
} 
else { 
print HS Nnu, 
} 
Scount++; 


} 


Change (or enable) also the following line in /etc/squid/suiqd.conf. 


http access allow localnet 
http port 3128 transparent 
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url rwwrite program /usr/local/bin/flip.pl 


The directory this script uses is /var/www/images and should be accessible by both the 
squid server (which uses the user named proxy and by the apache2 webserver (which 
uses the user www-data. The screenshot below shows how to create this directory, set the 
permissions and make the users a member of the other groups. 


root@debian7:~# mkdir /var/www/images 

root@debian7:~# chown www-data:www-data /var/www/images 
root@debian7:~# chmod 755 /var/www/images 
root@debian7:~# usermod -aG www-data proxy 
root@debian7:~# usermod -aG proxy www-data 


Test that it works after restarting squid and apache2. 


e 
€ xkcd: Sandwich - Iceweasel 


File Edit View History Bookmarks Tools Help 


> [&skcacomnas re [EJ Duckbuckéo aresto E 


€ 
IRR) xkcd: Sandwich 


ARCHIVE 
A WEBCOMIC OF ROMANCE, 
WHAT IF? 


SARCASM, MATH, AND LANGUAGE. 
Biag BEE GOUFEN JHE HMC Ot. HINT TIGGETIUEZ- 
STORE ok CE WATS Ne IHOTE INE 12 OHE nite 
ABOUT IM Come ON Y BOOK PBI Crick HEBE Low Y FIRL OE Ube 
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| \ 
OWA 
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2.7. /var/log/squid 


The standard log file location for squid is /var/log/squid. 


[root@RHEL4 -]4 grep "/var/log" /etc/squid/squid.conf 
# cache access log /var/log/squid/access.log 

# cache log /var/log/squid/cache.log 

# cache store log /var/log/squid/store.log 


2.8. access control 


The default squid setup only allows localhost access. To enable access for a private network 
range, look for the "INSERT YOUR OWN RULE(S) HERE..." sentence in squid.conf and 
add two lines similar to the screenshot below. 


# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 


acl company network src 192.168.1.0/24 
http access allow company network 


2.9. testing squid 


First, make sure that the server running squid has access to the internet. 


[root@RHEL4 ~]# wget -q http://linux-training.be/index.html 
[root@RHEL4 -]# ls -1 index.html 
RON COOP root BASS) Sa) Tenisi ro index: NEMI 


[root@RHEL4 ~]# 


Then configure a browser on a client to use the proxy server, or you could set the 
HTTP_PROXY (sometimes http_proxy) variable to point command line programs to the 


proxy. 


[root@fedora ~]# export HTTP_PROXY=http://192.168.1.39:8080 
[root@ubuntu ~]# export http proxy-http://192.168.1.39:8080 


Testing a client machine can then be done with wget (wget -q is used to simplify the 
screenshot). 


[root@RHEL5 ~]# > /etc/resolv.conf 

[root@RHEL5 ~]# wget -q http://www.linux-training.be/index.html 
[root@RHEL5 -]# ls -1 index.html 

mwor--r-— root root 2269 Sep 18 2008 index hemi 

[root@RHEL5 ~]# 


2.10. name resolution 


You need name resolution working on the squid server, but you don't need name resolution 
on the clients. 


[paul@RHEL5 ~]$ wget http://grep.be 

--14:35:44-- http://grep.be 

Resolving grep.be... failed: Temporary failure in name resolution. 
[paul@RHEL5 -]$ export http proxy-http://192.168.1.39:8080 
[paul@RHEL5 ~]$ wget http://grep.be 

--14:35:49--  http://grep.be/ 
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Connecting to 192.168.1.39:8080... connected. 
Proxy request sent, awaiting response... 200 OK 
Length: 5390 (5.3K) [text/html] 

Saving to: “index.html.1' 


100$[ ed bp 390 = R/S aba O Is 
14:38:29 (54.8 KB/s) - 'index.html' saved [5390/5390] 


[paul@RHEL5 -]$ 
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Chapter 3. introduction to sql using 
mysql 


mysql is a database server that understands Structured Query Language (SQL). MySQL 
was developed by the Swedish Company MySQL AB. The first release was in 1995. In 
2008 MySQL AB was bought by Sun Microsystems (which is now owned by Oracle). 


mysql is very popular for websites in combination with php and apache (the m in lamp 
servers), but mysql is also used in organizations with huge databases like Facebook, Flickr, 


Google, Nokia, Wikipedia and Youtube. 


This chapter will teach you sql by creating and using small databases, tables, queries and a 
simple trigger in a local mysql server. 
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3.1. installing mysql 


On Debian/Ubuntu you can use aptitude install mysql-server to install the mysql server 
and client. 


root@ubul204~# aptitude install mysql-server 

The following NEW packages will be installed: 
libdbd-mysql-perl{a} libdbi-perl{a} libhtml-template-perlía) 
libnet-daemon-perlí(a) libplrpc-perl{a} mysql-client-5.5{a} 
mysql-client-core-5.5{a} mysql-server mysql-server-5.5{a} 
mysql-server-core-5.5{a} 

0 packages upgraded, 10 newly installed, 0 to remove and 1 not upgraded. 

Need to get 25.5 MB of archives. After unpacking 88.4 MB will be used. 

Do you want to continue? [Y/n/?] 


During the installation you will be asked to provide a password for the root mysql user, 
remember this password (or use hunter2 like i do. 


To verify the installed version, use dpkg -1 on Debian/Ubuntu. This screenshot shows 
version 5.0 installed. 


root@ubul204~# dpkg -1 mysql-server | jase il | pre exe Ww s | Cie 672 
ii mysql-server 5.5.24-0ubuntu0.12.04.1 MySQL database server (metapacka 


Issue rpm -q to get version information about MySQL on Red Hat/Fedora/CentOS. 


[paul@RHEL52 ~]$ rpm -q mysql-server 
mysql-server-5.0.45-7.e15 


You will need at least version 5.0 to work with triggers. 
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3.2. accessing mysql 


3.2.1. Linux users 


The installation of mysql creates a user account in /etc/passwd and a group account in / 
etc/group. 


kevinfubul204:-$ tail -1 /etc/passwd 
mysql:x:120:131:MySQL Server,,,:/nonexistent:/bin/false 
kevin@ubu1204:-$ tail -1 /etc/group 

MIS CIM SERIES 


The mysql daemon mysqld will run with the credentials of this user and group. 


root@ubul204~# ps -eo uid,user, gid, group, comm | grep mysqld 
120 mysql 131 mysql mysqld 


3.2.2. mysql client application 


You can now use mysql from the commandline by just typing mysql -u root -p and you 
ll be asked for the password (of the mysql root account). In the screenshot below the user 
typed exit to exit the mysql console. 


root@ubul204~# mysql -u root -p 

Enter password: 

Welcome to the MySQL monitor. Commands end with ; or Mg. 
Your MySQL connection id is 43 

Server version: 5.5.24-0ubuntu0.12.04.1 (Ubuntu) 


Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. 
Oracle is a registered trademark of Oracle Corporation and/or its 
affiliates. Other names may be trademarks of their respective 

owners. 


Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 


mysql» exit 
Bye 


You could also put the password in clear text on the command line, but that would not be 
very secure. Anyone with access to your bash history would be able to read your mysql root 
password. 


root@ubul204~# mysql -u root -phunter2 
Welcome to the MySQL monitor. Commands end with ; or \g. 
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3.2.3. ~/.my.cnf 


You can save configuration in your home directory in the hidden file .my.cnf. In the 
screenshot below we put the root user and password in .my.cnf. 


kevinfubul204:-$ pwd 
/home/kevin 

kevin@ubul204:~$ cat .my.cnf 
[client] 

user-root 

password-hunter2 
kevin8ubu1204:-$ 


This enables us to log on as the root mysql user just by typing mysql. 
kevinQ@ubu1204:-$ mysql 
Welcome to the MySQL monitor. Commands end with ; or \g. 


Your MySQL connection id is 56 
Server version: 5.5.24-0ubuntu0.12.04.1 (Ubuntu) 


3.2.4. the mysql command line client 


You can use the mysql command to take a look at the databases, and to execute SQL queries 
on them. The screenshots below show you how. 


Here we execute the command show databases. Every command must be terminated by a 
delimiter. The default delimiter is ; (the semicolon). 


mysql» show databases; 


Br + 
| Database | 
is ar 
| information schema | 
| mysql | 
| performance_schema | 
| test | 
is * 
4 rows in set (0.00 sec) 


We will use this prompt in the next sections. 
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3.3. mysql databases 


3.3.1. listing all databases 


You can use the mysql command to take a look at the databases, and to execute SQL queries 
on them. The screenshots below show you how. First, we log on to our MySQL server and 
execute the command show databases to see which databases exist on our mysql server. 
kevinQ@ubu1204:-$ mysql 

Welcome to the MySQL monitor. Commands end with ; or Mg. 

Your MySQL connection id is 57 

Server version: 5.5.24-0ubuntu0.12.04.1 (Ubuntu) 

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. 
Oracle is a registered trademark of Oracle Corporation and/or its 


affiliates. Other names may be trademarks of their respective 
owners. 


Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 


mysql» show databases; 


Database 


information schema 
mysql 
performance schema 


T 
| 
+ 
| 
| 
| 
test | 


+ 
rows in set (0.00 sec) 


e + ———— + — + 


3.3.2. creating a database 


You can create a new database with the create database command. 


mysql> create database famouspeople; 
Query OK, 1 row affected (0.00 sec) 


mysql> show databases; 


+ + 
Database 

+ + 
information_schema 
famouspeople 
mysql 
performance_schema 
test 

+ + 


5 rows in set (0.00 sec) 
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3.3.3. using a database 


Next we tell mysql to use one particular database with the use $database command. This 
screenshot shows how to make wikidb the current database (in use). 
mysql» use famouspeople; 


Database changed 
mysql> 


3.3.4. access to a database 


To give someone access to a mysql database, use the grant command. 


mysql> grant all on famouspeople.* to kevin@localhost IDENTIFIED BY "hunter2"; 
Query OK, 0 rows affected (0.00 sec) 


3.3.5. deleting a database 


When a database is no longer needed, you can permanently remove it with the drop database 
command. 


mysql» drop database demodb; 
Query OK, 1 row affected (0.09 sec) 


3.3.6. backup and restore a database 


You can take a backup of a database, or move it to another computer using the mysql and 
mysqldump commands. In the screenshot below, we take a backup of the wikidb database 
on the computer named laika. 


mysqldump -u root famouspeople > famouspeople.backup.20120708.sql 


Here is a screenshot of a database restore operation from this backup. 


mysql -u root famouspeople « famouspeople.backup.20120708.sql 
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3.4. mysql tables 
3.4.1. listing tables 


You can see a list of tables in the current database with the show tables; command. Our 
famouspeople database has no tables yet. 


mysql> use famouspeople; 
Database changed 

mysql> show tables; 
Empty set (0.00 sec) 


3.4.2. creating a table 


The create table command will create a new table. 


This screenshot shows the creation of a country table. We use the countrycode as a primary 
key (all country codes are uniquely defined). Most country codes are two or three letters, so 
a char of three uses less space than a varchar of three. The country name and the name of 
the capital are both defined as varchar. The population can be seen as an integer. 


mysql> create table country ( 
-» countrycode char(3) NOT NULL, 
-» countryname varchar(70) NOT NULL, 
-» population int, 
-» countrycapital varchar(50), 
-» primary key (countrycode) 
ci) 
Query OK, 0 rows affected (0.19 sec) 


mysql» show tables; 


t + 
| Tables in famouspeople | 
BF s 
| country | 
t 3 
1 row in set (0.00 sec) 
mysql> 


You are allowed to type the create table command on one long line, but administrators often 
use multiple lines to improve readability. 


mysql> create table country ( countrycode char(3) NOT NULL, countryname\ 
varchar(70) NOT NULL, population int, countrycapital varchar(50), prim\ 
ary key (countrycode) ); 

Query OK, 0 rows affected (0.18 sec) 


49 


introduction to sql using mysql 


3.4.3. describing a table 


To see a description of the structure of a table, issue the describe $tablename command 
as shown below. 


mysql» describe country; 


He de + F F F F 
| redkol | Type | Null | Key | Default | Extra | 
RP + $ + F + + 
| countrycode | char (3) | NO | PRI | NULL | | 
| countryname | varchar (70) | NO | | NULL | | 
| population | int(11) | ams] | NULL | | 
| countrycapital | varchar(50) | YES | | NULL | | 
=== ===== = = c a aMMa + 


4 rows in set (0.00 sec) 


3.4.4. removing a table 


To remove a table from a database, issue the drop table $tablename command as shown 
below. 


mysql> drop table country; 
Query OK, 0 rows affected (0.00 sec) 
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3.5. mysql records 


3.5.1. creating records 


Use insert to enter data into the table. The screenshot shows several insert statements that 
insert values depending on the position of the data in the statement. 


mysql> insert into country values ('BE','Belgium','11000000','Brussels'); 
Query OK, 1 row affected (0.05 sec) 


mysql> insert into country values ('DE','Germany','82000000','Berlin'); 
Query OK, 1 row affected (0.05 sec) 


mysql> insert into country values ('JP','Japan','128000000','Tokyo'); 
Query OK, 1 row affected (0.05 sec) 


Some administrators prefer to use uppercase for sql keywords. The mysql client accepts 
both. 


mysql> INSERT INTO country VALUES ('FR','France','64000000','Paris'); 
Query OK, 1 row affected (0.00 sec) 


Note that you get an error when using a duplicate primary key. 


mysql> insert into country values ('DE','Germany','82000000','Berlin'); 
ERROR 1062 (23000): Duplicate entry 'DE' for key 'PRIMARY' 


3.5.2. viewing all records 


Below an example of a simple select query to look at the contents of a table. 


mysql» select * from country; 


t + + + + 
count rycode countryname population countrycapital | 

+ + + + + 
BE Belgium 11000000 | Brussels | 
CN China 1400000000 | Beijing | 
DE Germany 82000000 | Berlin | 
FR France 64000000 | Paris | 
IN India 1300000000 | New Delhi | 
JP Japan 128000000 | Tokyo | 
MX Mexico 113000000 | Mexico City | 
US United States 313000000 Washington | 

t + + + 


8 rows in set (0.00 sec) 
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3.5.3. updating records 


Consider the following insert statement. The capital of Spain is not Barcelona, it is Madrid. 


mysql> insert into country values ('ES','Spain','48000000','Barcelona'); 
Query OK, 1 row affected (0.08 sec) 


Using an update statement, the record can be updated. 


mysql» update country set countrycapital-'Madrid' 
Query OK, 1 row affected (0.07 sec) 


where countrycode-'ES'; 


Rows matched: 


1 Changed: 1 


Warnings: 0 


We can use a select statement to verify this change. 


mysql» select 


{Enon OU ni y 


+ + + + + 
count rycode countryname population countrycapital | 

+ + + + + 
BE Belgium 11000000 | Brussels | 
CN China 1400000000 | Beijing | 
DE Germany 82000000 | Berlin | 
ES Spain 48000000 | Madrid 
FR France 64000000 | Paris | 
IN India 1300000000 | New Delhi | 
JP Japan 128000000 | Tokyo | 
MX Mexico 113000000 | Mexico City | 
US United States 313000000 Washington | 

+ + + + + 


9 rows in set 


(0.00 sec) 


3.5.4. viewing selected records 


Using a where clause in a select statement, you can specify which record(s) you want to see. 


mysql» SELECT * FROM country WHERE countrycode-'ES'; 


Another example of the where clause. 


t t t + + 
| countrycode | countryname | population | countrycapital | 
t + + + + 
| ES | Spain | 48000000 | Madrid | 
t t t + + 
1 row in set (0.00 sec) 


mysql> select * from country where countryname-'Spain'; 


+ + + + + 
| countrycode | countryname | population | countrycapital | 
t + + + + 
| ES | Spain | 48000000 | Madrid | 
t t t + + 
1 row in set (0.00 sec) 


3.5.5. primary key in where clause ? 


The primary key of a table is a field that uniquely identifies every record (every row) in 
the table. when using another field in the where clause, it is possible to get multiple rows 
returned. 


mysql> insert into country values ('EG','Egypt','82000000','Cairo'); 
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Query OK, 1 row affected (0.33 sec) 

mysql> select * from country where population='82000000'; 

t t t t + 
| countrycode | countryname | population | countrycapital | 
t t t t t 
| DE | Germany | 82000000 | Berlin | 
| EG | Egypt | 82000000 | Cairo | 
t + + + + 
2 rows in set (0.00 sec) 


3.5.6. ordering records 


We know that select allows us to see all records in a table. Consider this table. 


mysql> select countryname, population from country; 


+ + + 
countryname population 

+ + + 
Belgium 11000000 
China 1400000000 
Germany 82000000 
Egypt 82000000 
Spain 48000000 
France 64000000 
India 1300000000 
Japan 128000000 
Mexico 113000000 
United States 313000000 

+ + + 

10 rows in set (0.00 sec) 


Using the order by clause, we can change the order in which the records are presented. 


mysql> select countryname, population from country order by countryname; 


+ + + 
countryname population 

+ + + 
Belgium 11000000 
China 1400000000 
Egypt 82000000 
France 64000000 
Germany 82000000 
India 1300000000 
Japan 128000000 
Mexico 113000000 
Spain 48000000 
United States 313000000 

+ + + 

10 rows in set (0.00 sec) 


3.5.7. grouping records 


Consider this table of people. The screenshot shows how to use the avg function to calculate 
an average. 


mysql> select * from people; 
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+ + + + + 
| Name | Field | birthyear | countrycode | 
+ + + + + 
| Barack Obama | politics | 1961 | us | 
| Deng Xiaoping | politics | 1904 | CN | 
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Guy Verhofstadt politics 1959 BE | 
Justine Henin tennis 1982 BE | 
Kim Clijsters tennis 19383 BE | 
Li Na tennis 1982 CN | 
Liu Yang astronaut 1978 CN | 
Serena Williams tennis ARO SH US | 
Venus Williams tennis 1980 US | 
* t + + + 


9 rows in set (0.00 sec) 


mysql> select Field,AVG(birthyear) from people; 


+ + + 
| Field | AVG (birthyear) | 
+ + + 
| politics | 1967.111111111111 | 
t + + 
1 row in set (0.00 sec) 


Using the group by clause, we can have an average per field. 


mysql> select Field,AVG(birthyear) from people group by Field; 
+ 


Field AVG (birthyear) 


1978 
19397333333 33338333 
1981.6 


astronaut 
politics 


| 
+ 
| 
| 
tennis | 


+ ——— + — + 


+ 
rows in set (0.00 sec) 


w +——— + — + 


3.5.8. deleting records 


You can use the delete to permanently remove a record from a table. 


mysql> delete from country where countryname='Spain'; 
Query OK, 1 row affected (0.06 sec) 


mysql> select * from country where countryname='Spain'; 
Empty set (0.00 sec) 


3.6. joining two tables 


3.6.1. inner join 


With an inner join you can take values from two tables and combine them in one result. 
Consider the country and the people tables from the previous section when looking at this 
screenshot of an inner join. 


mysql> select Name, Field, countryname 
=> from country 
-> inner join people on people.countrycode-country.countrycode; 


+ + + + 
Name Field countryname 

+ + + + 
Barack Obama politics United States 
Deng Xiaoping politics China 
Guy Verhofstadt politics Belgium 
Justine Henin tennis Belgium 
Kim Clijsters tennis Belgium 
Li Na tennis China 
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| Liu Yang | astronaut | China | 
| Serena Williams | tennis | United States | 
| Venus Williams | tennis | United States | 
+ + + + 
Bros in ser (000 Seo) 


This inner join will show only records with a match on countrycode in both tables. 
3.6.2. left join 


A left join is different from an inner join in that it will take all rows from the left table, 
regardless of a match in the right table. 


mysql> select Name,Field,countryname from country left join people on people.countrycode=count 


+ + + + 
Name Field countryname 
+ + + + 
Guy Verhofstadt politics Belgium 
Justine Henin tennis Belgium 
Kim Clijsters tennis Belgium 
Deng Xiaoping politics China 
Li Na tennis China 
Liu Yang astronaut China 
NULL NULL Germany 
NULL NULL Egypt 
NULL NULL Spain 
NULL NULL France 
NULL NULL India 
NULL NULL Japan 
NULL NULL Mexico 
Barack Obama politics United States 
Serena Williams tennis United States 
Venus Williams tennis United States 
+ + + + 


16 rows in set (0.00 sec) 


You can see that some countries are present, even when they have no matching records in 
the people table. 


3.7. mysql triggers 


3.7.1. using a before trigger 


Consider the following create table command. The last field (amount) is the multiplication 
of the two fields named unitprice and unitcount. 


mysql> create table invoices ( 
=> id Charts) NOT NUEL, 
=> customerid char (3) NOT NULL, 
=> uni pr cerni 
=> Uni ECoune sma ante, 
-» amount int ); 
Query OK, 0 rows affected (0.00 sec) 


We can let mysql do the calculation for that by using a before trigger. The screenshot below 
shows the creation of a trigger that calculates the amount by multiplying two fields that are 
about to be inserted. 


mysql» create trigger total amount before INSERT on invoices 
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-» for each row set new.amount - new.unitprice * new.unitcount ; 
Query OK, 0 rows affected (0.02 sec) 


Here we verify that the trigger works by inserting a new record, without providing the total 
amount. 


mysql insert anto invoices values (1200905261, TABET; O SION LS) Er 
Query OK, 1 row affected (0.02 sec) 


Looking at the record proves that the trigger works. 


mysql» select * from invoices; 


Hpm————————— + ==== =====p==== === 4 de 
| id | customerid | unitprice | unitcount | amount | 
lE pee SS SSS aS EEE dE 
| 20090526 | ABC | 199 | 10 | 1990 | 
+= ========= + ============++ de === 4 


1 row in set (0.00 sec) 


3.7.2. removing a trigger 


When a trigger is no longer needed, you can delete it with the drop trigger command. 


mysql> drop trigger total_ amount; 
Query OK, 0 rows affected (0.00 sec) 
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Chapter 4. introduction to DNS 


dns is a fundamental part of every large computer network. dns is used by many network 
services to translate names into network addresses and to locate services on the network 
(by name). 


Whenever you visit a web site, send an e-mail, log on to Active Directory, play Minecraft, 
chat, or use VoIP, there will be one or (many) more queries to dns services. 


Should dns fail at your organization, then the whole network will grind to a halt (unless you 
hardcoded the network addresses). 


You will notice that even the largest of organizations benefit greatly from having one dns 
infrastructure. Thus dns requires all business units to work together. 


Even at home, most home modems and routers have builtin dns functionality. 


This module will explain what dns actually is and how to set it up using Linux and bind9. 
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4.1. about dns 


4.1.1. name to ip address resolution 


The domain name system or dns is a service on a tcp/ip network that enables clients to 
translate names into ip addresses. Actually dns is much more than that, but let's keep it 
simple for now. 


When you use a browser to go to a website, then you type the name of that website in the 
url bar. But for your computer to actually communicate with the web server hosting said 
website, your computer needs the ip address of that web server. That is where dns comes in. 


Where is google.com ? 
a-—— 70 E 


f 


é j 


qu It is at 66.102.13.105. 
192.168.1.30 
212.71.8.10 
In wireshark you can use the dns filter to see this traffic. 
| Filter: | dns y | Expression... | Clear | Apply | 


| No. - Time Source Destination Protocol Info 
4.1.2. history 


In the Seventies, only a few hundred computers were connected to the internet. To resolve 
names, computers had a flat file that contained a table to resolve hostnames to ip addresses. 
This local file was downloaded from hosts.txt on an ftp server in Stanford. 


In 1984 Paul Mockapetris created dns, a distributed treelike hierarchical database that will 
be explained in detail in these chapters. 


Today, dns or domain name system is a worldwide distributed hierarchical database 
controlled by ICANN. Its primary function is to resolve names to ip addresses, and to point 
to internet servers providing smtp or Idap services. 


The old hosts.txt file is still active today on most computer systems under the name /etc/ 
hosts (or C:/Windows/System32/Drivers/etc/hosts). We will discuss this file later, as it can 
influence name resolution. 
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4.1.3. forward and reverse lookup queries 


The question a client asks a dns server is called a query. When a client queries for an ip 
address, this is called a forward lookup query (as seen in the previous drawing). 


The reverse, a query for the name of a host, is called a reverse lookup query. 


Below a picture of a reverse lookup query. 


Who is 178.63.30.100 ? 
-— #3 } 


és | 
y NN It is antares.ginsys.net. 
== y RSR ees 


192.168.1.30 


212.71.8.10 


Here is a screenshot of a reverse lookup query in nslookup. 


root@debian7:~# nslookup 

> set type-PIR 

= 188.93. 155787 

Server: O2 Se) 5 dl od 
Address: 192.168.1.42#53 


Non-authoritative answer: 
67 255293. ieg im- addr. arpa name = antares.ginsys.net. 


This is what a reverse lookup looks like when sniffing with tepdump. 


root@debian7:~# tcpdump udp port 53 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 
OA SOS TE 192. less. OS 742/04 02 69 A2 domaine 14763: PEN 
Re 87 15598188 "in addr-arpa. (44) 

11:01:29.640093 IP 192.168.1.42.domain > 192.168.1.103.42041: 14763 1/0N 
/0 PTR antares.ginsys.net. (76) 


And here is what it looks like in wireshark (note this is an older screenshot). 


[D y [reson ciar apply 


| No. - Time Source Destination Protocol Info 
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4.1.4. /etc/resolv.conf 


A client computer needs to know the ip address of the dns server to be able to send queries 
to it. This is either provided by a dhep server or manually entered. 


Linux clients keep this information in the /etc/resolv.conf file. 


root@debian7:~# cat /etc/resolv.conf 
domain linux-training.be 

search linux-training.be 

nameserver 192.168.1.42 
root@debian7:-# 


You can manually change the ip address in this file to use another dns server. For example 
Google provides a public name server at 8.8.8.8 and 8.8.4.4. 
root@debian7:~# cat /etc/resolv.conf 


nameserver 8.8.8.8 
root @debian7:~# 


Please note that on dhcp clients this value can be overwritten when the dhcp lease is 
renewed. 
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4.2. dns namespace 
4.2.1. hierarchy 


The dns namespace is hierarchical tree structure, with the root servers (aka dot-servers) at 
the top. The root servers are usually represented by a dot. 


Below the root-servers are the Top Level Domains or tld's. 


There are more tld's than shown in the picture. Currently about 200 countries have a tld. And 
there are several general tld's like .com, .edu, .org, .gov, .net, .mil, .int and more recently 
also .aero, info, .museum, ... 


4.2.2. root servers 


There are thirteen root servers on the internet, they are named A to M. Journalists often 
refer to these servers as the master servers of the internet, because if these servers go 
down, then nobody can (use names to) connect to websites. 


The root servers are not thirteen physical machines, they are many more. For example the 
F root server consists of 46 physical machines that all behave as one (using anycast). 
http://root-servers.org 


http://f.root-servers.org 
http://en.wikipedia.org/wiki/Root nameserver. 
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4.2.3. root hints 


Every dns server software will come with a list of root hints to locate the root servers. 


This screenshot shows a small portion of the root hints file that comes with bind 9.8.4. 


root@debian7:~# grep -w 'A ' 
NET. 
.ROOT-SERVERS. 
.ROOT-SERVERS. 
.ROOT-SERVERS. 
.ROOT-SERVERS. 
.ROOT-SERVERS. 
.ROOT-SERVERS. 
. ROOT-SERVERS. 
.ROOT-SERVERS. 
.ROOT-SERVERS. 
.ROOT-SERVERS. 
. ROOT-SERVERS. 
.ROOT-SERVERS. 
root @debian7:~# 


.ROOT-SERVERS 


ENIM DER Ex] a ROC CC ES 


4.2.4. domains 


3600000 
3600000 
3600000 
3600000 
3600000 
3600000 
3600000 
3600000 
3600000 
3600000 
3600000 
3600000 
3600000 


A 


pog op ppp» 


/etc/bind/db.root 


198. 
192; 
1192 
T99, 
192: 
192; 
1927 
12:87 
192 
192% 
MI Sh 
199; 
202. 


41.0.4 
228 19. 201 
S845 12 
IEEE 
203.230. 10 
5a 5a 241 
112.364 
632.53 
36.1438. 17 
SIS OLLAS 30 
0.14.129 
ASS 
TS 


One level below the top level domains are the domains. Domains can have subdomains 


(also called child domains). 


This picture shows dns domains like google.com, chess.com, linux-training.be (there are 


millions more). 


"google.com" 


" 


/N 


"chess.com" 


" 


"non 


" be" 


"linux-training.be" 


DNS domains are registered at the tld servers, the tld servers are registered at the dot 


servers. 
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4.2.5. top level domains 


Below the root level are the top level domains or tld's. Originally there were only seven 
defined: 


Table 4.1. the first top level domains 


year TLD purpose 

1985 .arpa Reverse lookup via in-addr.arpa 

1985 .com Commercial Organizations 

1985 .edu US Educational Institutions 

1985 gov US Government Institutions 

1985 .mil US Military 

1985 net Internet Service Providers, Internet Infrastructure 
| 1985 .Org Non profit Organizations | 
| 1988 Ant International Treaties like nato.int | 


Country tld's were defined for individual countries, like .uk in 1985 for Great Britain (yes 
really), .be for Belgium in 1988 and .fr for France in 1986. See RFC 1591 for more info. 


In 1998 seven new general purpose tld's where chosen, they became active in the 21st 
century. 


Table 4.2. new general purpose tld's 


year TLD purpose 
2002 .aero aviation related 
| 2001 biz businesses | 
2001 .COOp for co-operatives 
2001 info informative internet resources 
2001 .museum  |for museums 
| 2001 .name for all kinds of names, pseudonyms and labels... | 
| 2004 .pro for professionals | 


Many people were surprised by the choices, claiming not much use for them and wanting 
a separate .xxx domain (introduced in 2011) for adult content, and .kidz a save haven for 
children. In the meantime more useless tld's were create like .travel (for travel agents) and 
.tel (for internet communications) and .jobs (for jobs sites). 


In 2012 ICANN released a list of 2000 new tld's that would gradually become available. 
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4.2.6. fully qualified domain name 


The fully qualified domain name or fqdn is the combination of the hostname of a machine 
appended with its domain name. 


If for example a system is called gwen and it is in the domain linux-training.be, then the 
fqdn of this system is gwen.linux-training.be. 


On Linux systems you can use the hostname and dnsdomainname commands to verify 
this information. 


root@gwen:~# hostname 

gwen 

root@gwen:~# dnsdomainname 
linux-training.be 

root@gwen:~# hostname --fqdn 
gwen.linux-training.be 

root@gwen:~# cat /etc/debian version 
GOO 


4.2.7. dns zones 


A zone (aka a zone of authority) is a portion of the DNS tree that covers one domain name 
or child domain name. The picture below represents zones as blue ovals. Some zones will 
contain delegate authority over a child domain to another zone. 


" com" "be" 
/ N. 
"google.com" "chess.com" — "linux-training.be" 


"mail.google.com" 


"test.linux-training.be" 


A dns server can be authoritative over 0, 1 or more dns zones. We will see more details 
later on the relation between a dns server and a dns zone. 


A dns zone consists of records, also called resource records. We will list some of those 
resource records on the next page. 
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4.2.8. dns records 
A record 


The A record, which is also called a host record contains the ipv4-address of a computer. 
When a DNS client queries a DNS server for an A record, then the DNS server will resolve 
the hostname in the query to an ip address. An AAAA record is similar but contains an ipv6 
address instead of ipv4. 


PTR record 


A PTR record is the reverse of an A record. It contains the name of a computer and can be 
used to resolve an ip address to a hostname. 


NS record 


A NS record or nameserver record is a record that points to a DNS name server (in this 
zone). You can list all your name servers for your DNS zone in distinct NS records. 


glue A record 
An A record that maps the name of an NS record to an ip address is said to be a glue record. 


SOA record 


'The SOA record of a zone contains meta information about the zone itself. The contents of 
the SOA record is explained in detail in the section about zone transfers. There is exactly 
one SOA record for each zone. 


CNAME record 


A CNAME record maps a hostname to a hostname, creating effectively an alias for an 
existing hostname. The name of the mail server is often aliased to mail or smtp, and the 
name of a web server to www. 


MX record 


The MX record points to an smtp server. When you send an email to another domain, then 
your mail server will need the MX record of the target domain's mail server. 


67 


introduction to DNS 


4.3. caching only servers 


A dns server that is set up without authority over a zone, but that is connected to other 
name servers and caches the queries is called a caching only name server. Caching only 
name servers do not have a zone database with resource records. Instead they connect to 
other name servers and cache that information. 


There are two kinds of caching only name servers. Those with a forwarder, and those that 
use the root servers. 
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4.3.1. caching only server without forwarder 


A caching only server without forwarder will have to get information elsewhere. When it 
receives a query from a client, then it will consult one of the root servers. The root server 
will refer it to a tld server, which will refer it to another dns server. That last server might 
know the answer to the query, or may refer to yet another server. In the end, our hard working 
dns server will find an answer and report this back to the client. 


In the picture below, the clients asks for the ip address of linux-training.be. Our caching only 
server will contact the root server, and be refered to the .be server. It will then contact the .be 
server and be refered to one of the name servers of Openminds. One of these name servers 
(in this cas ns1.openminds.be) will answer the query with the ip address of linux-training.be. 
When our caching only server reports this to the client, then the client can connect to this 


website. 
"non 
- 4 


Where is linux-training.be ? 
é —_— a 


It is at 188.93.155.87. 
3 |o c— 


" be" 


"linux-training.be" 


_  7ns2.openminds.be" 


Sniffing with tepdump will give you this (the first 20 characters of each line are cut). 


192.168.1.103.41251 > M.ROOT-SERVERS.NET.domain: 37279% [lau] A? linux-tr\ 
aining.be. (46) 

M.ROOT-SERVERS .NET.domain > 192.168.1.103.41251: 37279- 0/11/13 (740) 
192.168.1.103.65268 > d.ns.dns.be.domain: 38555% [lau] A? linux-training.\ 
be. (46) 

di.ns.dns.be.domain > 192.168. 1.103 65268: S8555—= 0/77/75 (737) 
192.168.1.103.7514 > ns2.openminds.be.domain: 60888% [lau] A? linux-train\ 
ing.be. (46) 

ns2.openminds.be.domain > 192.168.1.103.7514: 60888*- 1/0/1 A 188.93.155.\ 
87 (62) 
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4.3.2. caching only server with forwarder 


A caching only server with a forwarder is a DNS server that will get all its information 
from the forwarder. The forwarder must be a dns server for example the dns server of 
an internet service provider. 


internet 


company DNS server 


"the forwarder" 


This picture shows a dns server on the company LAN that has set the dns server from their 
isp as a forwarder. If the ip address of the isp dns server is 212.71.8.10, then the following 
lines would occur in the named.conf file of the company dns server: 


forwarders { 
PI TAN ty AO 
}; 


You can also configure your dns server to work with conditional forwarder(s). The 
definition of a conditional forwarder looks like this. 


zone "someotherdomain.local" { 

type forward; 

forward only; 

forwarders { 10.104.42.1; ); 
}; 


4.3.3. iterative or recursive query 


A recursive query is a DNS query where the client that is submitting the query expects a 
complete answer (Like the fat red arrow above going from the Macbook to the DNS server). 
An iterative query is a DNS query where the client does not expect a complete answer (the 
three black arrows originating from the DNS server in the picture above). Iterative queries 
usually take place between name servers. The root name servers do not respond to recursive 
queries. 
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4.4. authoritative dns servers 


A DNS server that is controlling a zone, is said to be the authoritative DNS server for that 
zone. Remember that a zone is a collection of resource records. 


Y à SOA Y 
"linux-training.be" 
L a 
NS P 4 


4.5. primary and secondary 


When you set up the first authoritative dns server for a zone, then this is called the primary 
dns server. This server will have a readable and writable copy of the zone database. For 
reasons of fault tolerance, performance or load balancing you may decide to set up another 
dns server with authority over that zone. This is called a secondary dns server. 


4 


e^ SOA Z2 SOA N 

"linux-training.be" 

| 17 ^ 4 
NS , 


"linux-training.be" 
N MX 22 y 
NS à 


writable copy of the zone readonly copy of the zone 


4.6. zone transfers 


The slave server receives a copy of the zone database from the master server using a 
zone transfer. Zone transfers are requested by the slave servers at regular intervals. Those 
intervals are defined in the soa record. 


zone transfer 


You can force a refresh from a zone with rndc. The example below force a transfer of the 
fred.local zone, and shows the log from /var/log/syslog. 


root@debian7:/etc/bind# rndc refresh fred.local 
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root@debian7:/etc/bind# grep fred /var/log/syslog | tail -7 cut -c38- 

zone fred.local/IN: sending notifies (serial 1) 

received control channel command 'refresh fred.local' 

zone fred.local/IN: Transfer started. 

transfer of 'fred.local/IN' from 10.104.109.1453: connected using 10.104.33.30457367 

zone fred.local/IN: transferred serial 2 

transfer of 'fred.local/IN' from 10.104.109.1453: Transfer completed: 1 messages, 10 records, 
zone fred.local/IN: sending notifies (serial 2) 

root@debian7:/etc/bind# 
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4.7. master and slave 


When adding a secondary dns server to a zone, then you will configure this server as a 
slave server to the primary server. The primary server then becomes the master server 
of the slave server. 


Often the primary dns server is the master server of all slaves. Sometimes a slave server 
is master server for a second line slave server. In the picture below ns1 is the primary dns 
server and ns2, ns3 and ns4 are secondaries. The master for slaves ns2 and ns3 is ns1, but 
the master for ns4 is ns2. 


master f slave 


zone transfer zone transfer 
mp naines" 


4.8. SOA record 


The soa record contains a refresh value. If this is set to 30 minutes, then the slave server 
will request a copy of the zone file every 30 minutes. There is also a retry value. The retry 
value is used when the master server did not reply to the last zone transfer request. The value 
for expiry time says how long the slave server will answer to queries, without receiving 
a zone update. 


Below an example of how to use nslookup to query the soa record of a zone (linux- 
training.be). 


root@debian6:~# nslookup 

> set type=SOA 

> server nsl.openminds.be 

» linux-training.be 

Server: nsl.openminds.be 
Address: 195.747.215. 14353 


linux-training.be 
origin = nsl.openminds.be 
mail addr = hostmaster.openminds.be 
Serial “= 2321001133 
refresh = 14400 
retry = 3600 
expire = 604800 
minimum = 3600 


Zone transfers only occur when the zone database was updated (meaning when one or more 
resource records were added, removed or changed on the master server). The slave server 
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will compare the serial number of its own copy of the SOA record with the serial number 
of its master's SOA record. When both serial numbers are the same, then no update is needed 
(because no records were added, removed or deleted). When the slave has a lower serial 
number than its master, then a zone transfer is requested. 


Below a zone transfer captured in wireshark. 


Time Source Destination Protocol Info 

1 0.000000 192.168.1.37  192.168.1.35 DNS Standard query SOA cobbaut.paul 

2 0.008502 192.168.1.35 192.168.1.37 DNS Standard query response SOA ns.cobbaut.paul 
3 0.014672  192.168.1.37 192.168.1.35 TCP 33713 > domain [SYN] Seq=@ Win-5840 Len=0 MS 
4 0.015215  192.168.1.35 192.168.1.37 TCP domain > 33713 [SYN, ACK] Seq-0 Ack=1 Win=57 
5 0.015307 192.168.1.37  192.168.1.35 TCP 33713 » domain [ACK] Seq-1 Ack-1 Win-5856 Le 
6 0.015954 192.168.1.37  192.168.1.35 TCP [TCP segment of a reassembled PDU] 

7 0.018359 192.168.1.35  192.168.1.37 TCP domain > 33713 [ACK] Seq=1 Ack=3 Win-5792 Le 
8 0.018411 192.168.1.37 192.168.1.35 DNS Standard query IXFR cobbaut.paul 

9 0.018823 192.168.1.35 192.168.1.37 TCP domain > 33713 [ACK] Seq=1 Ack=77 Win=5792 L 
10 0.019784 192.168.1.35 192.168.1.37 DNS Standard query response SOA ns.cobbaut.paul 
11 0.019821 192.168.1.37  192.168.1.35 TCP 33713 » domain [ACK] Seq-77 Ack-295 Win-6912 


4.9. full or incremental zone transfers 


When a zone tranfer occurs, this can be either a full zone transfer or an incremental zone 
transfer. The decision depends on the size of the transfer that is needed to completely update 
the zone on the slave server. An incremental zone transfer is prefered when the total size 
of changes is smaller than the size of the zone database. Full zone transfers use the axfr 
protocol, incremental zone transfer use the ixfr protocol. 
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4.10. DNS cache 


DNS is a caching protocol. 


When a client queries its local DNS server, and the local DNS server is not authoritative 
for the query, then this server will go looking for an authoritative name server in the DNS 
tree. The local name server will first query a root server, then a tld server and then a domain 
server. When the local name server resolves the query, then it will relay this information to 
the client that submitted the query, and it will also keep a copy of these queries in its cache. 
So when a(nother) client submits the same query to this name server, then it will retrieve 
this information form its cache. 


For example, a client queries for the A record on www.linux-training.be to its local server. 
This is the first query ever received by this local server. The local server checks that it is 
not authoritative for the linux-training.be domain, nor for the .be tld, and it is also not a root 
server. So the local server will use the root hints to send an iterative query to a root server. 


The root server will reply with a reference to the server that is authoritative for the .be 
domain (root DNS servers do not resolve fqdn's, and root servers do not respond to recursive 
queries). 


The local server will then sent an iterative query to the authoritative server for the .be tld. 
This server will respond with a reference to the name server that is authoritative for the 
linux-training.be domain. 


The local server will then sent the query for www.linux-training.be to the authoritative server 
(or one of its slave servers) for the linux-training.be domain. When the local server receives 
the ip address for www.linux-training.be, then it will provide this information to the client 
that submitted this query. 


Besides caching the A record for www.linux-training.be, the local server will also cache the 
NS and A record for the linux-training.be name server and the .be name server. 
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4.11. forward lookup zone example 


The way to set up zones in /etc/bind/named.conf.local is to create a zone entry with a 
reference to another file (this other file contains the zone database). 


Here is an example of such an entry in /etc/bind/named.conf.local: 


root@debian7:~# cat /etc/bind/named.conf.local 
/ / 
// Do any local configuration here 


// 


// Consider adding the 1918 zones here, if they are not used in your 
// organization 
//include "/etc/bind/zones.rfc1918"; 


zone "paul.local" IN { 
type master; 
file "/etc/bind/db.paul.local"; 
allow-update { none; }; 

}; 

root@debian7:-# 


To create the zone file, the easy method is to copy an existing zone file (this is easier than 
writing from scratch). 


root@debian7:/etc/bind# cp db.empty db.paul.local 
root@debian7:/etc/bind# vi db.paul.local 


Here is an example of a zone file. 


root@debian7:/etc/bind# cat db.paul.local 
; zone for classroom teaching 
STIL 86400 


@ IN SOA debianpaul.paul.local. root.paul.local ( 
2014100100 ; Serial 
1h ; Refresh 
1h 7) Retry 
2h ; Expire 
86400 ) ; Negative Cache TTL 


; name servers 


IN NS nsi 

IN NS debianpaul 

IN NS debian7 
; servers 
debianpaul IN A 10.104.33.30 
debian7 IN A HO TOAT S3730 
ns1 IN A 10- 10433-30 
¡WWW IN A OR MOAT SS. 30 
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4.12. example: caching only DNS server 


1. installing DNS software on Debian 

root@debian7:~# aptitude update && aptitude upgrade 

root@debian7:~# aptitude install bind9 

root@debian7:~# dpkg -1 | grep bind9 | tr -s ' ' 

ii bind9 1:9.8.4.dfsg.P1-6+nmu2+deb7u2 amd64 Internet Domain Name Server 

ii bind9-host 1:9.8.4.dfsg.P1-6+nmu2+deb7u2 amd64 Version of 'host' bundled... 
ii bind9utils 1:9.8.4.dfsg.P1-6+nmu2+deb7u2 amd64 Utilities for BIND 


ii libbind9-80 1:9.8.4.dfsg.P1-6+nmu2+deb7u2 amd64 BIND9 Shared Library use... 
root @debian7:~# 


2. Discover the default configuration files. Can you define the purpose of each file ? 


root@debian7:~# ls -1 /etc/bind 


total 52 

=zrw- Ces 1 root root 2389 Sep 5 20:25 bind: keys 
Serw e r IL reojo root 237 Sep 5 20823 Cle.) 

SENS L==E== I root root 271 Sep 5 20:25 db- 127 

Crw e ro IL ao ace 237 SES) 5 AR) Cl 

=rw-r--r= I root root 353 Sep 5 20:25 db.empty 
erw e r IL root root 270 Sep 5 20323 dp local 
=rw-r--r=- I root root 3048 Sep 5 20:25 db- root 

-rw-r--r-- 1 root bind 463 Sep 5 20:25 named. conf 
-rw-r--r-- 1 root bind 490 Sep 5 20:25 named.conf.default-zones 
SN E iroot bina 974 0ct 20:50] med Coni local 
crw-r--r-- I root bind 913 Oct 1 13:24 named. cont. options 
Tee Ion eism el 7I Oct L iii End key 
ANS Com r= Il root root 1317 Sep 5 20:25 zones: ere lg 


3. Setup caching only dns server. This is normally the default setup. A caching-only name 
server will look up names for you and cache them. Many tutorials will tell you to add a 
forwarder, but we first try without this! 


Hey this seems to work without a forwarder. Using a sniffer you can find out what really 
happens. Your freshly install dns server is not using a cache, and it is not using your local 
dns server (from /etc/resolv.conf). So where is this information coming from ? And what 
can you learn from sniffing this dns traffic ? 
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4. Explain in detail what happens when you enable a caching only dns server without 
forwarder. This wireshark screenshot can help, but you learn more by sniffing the traffic 
yourself. 


File Edit View Go Capture Analyze Statistics Telephony Tools Help 
San eexcga ¿2 2 Blas © - 


No. - Time Source Destination Protocol Info | - 


210 18.483161 128.8.10.90 192.168.1.37 DNS Standard query response 


Transaction ID: 0x6826 
P Flags: 0x8000 (Standard query response, No error) 
Questions: 1 
Answer RRs: 0 
Authority RRs: 9 
Additional RRs: 13 


P slashdot.org: type A, class IN 
v Authoritative nameservers 
org: type NS, class IN, ns a2.org.afilias-nst.info 
org: type NS, class IN, ns b2.org.afilias-nst.org 
org: type NS, class IN, ns d0.org.afilias-nst.org 
org: type NS, class IN, ns b0.org.afilias-nst.org 
org: type NS, class IN, ns a0.org.afilias-nst.info 
org: type NS, class IN, ns c@.org.afilias-nst.info 
org: type DS, class IN 
org: type DS, class IN 
org: type RRSIG, class IN 

b Additional records 
LT) 
0030 600 CEOS 73 6c 61 73 68 64 6f 74 OSMA . lashdot. 


VVvVvvvvvvvy 


0040 ae Ameer! CO 15 00 02 00010002 [ICAA ........ 
0050 a3 00 00 19 02 61 32 03 6f 72 67 Ob 61 66 69 6c  ..... a2. org.afil 
0060 69 61 73 2d 6e 73 74 04 69 6e 66 6f 00 cO 15 00 ias-nst. info.... 
0070 02 00 01 00 02 a3 00 00 15 02 62 32 03 6f 72 67 ........ .. b2.org 
0080 Ob 61 66 69 6c 69 61 73 2d 6e 73 74 c0 15 c0 15  .afilias -nst.... 
0090 00 02 00 01 00 02 a3 00 00 05 02 64 30 c0 52 CO  ........ ... d0.R. 
00a0 15 00 02 00 01 00 02 a3 00 00 05 02 62 30 C0 52  ........ .... b0.R 
00b0 c0 15 00 02 00 01 00 02 a3 00 00 05 02 6130 cO  ........ ..... a0. 
00cO 2d cO 15 00 02 00 01 00 02 a3 00 00 05 02 63 30  -....... ...... co 


andn -n ad -n ar na ^L ^n^ nas nan on" ra nn nn na ra ar 3 ^ ar... 


You should see traffic to a root name server whenever you try a new tld for the first time. 
Remember that dns is a caching protocol, which means that repeating a query will generate 
a lot less traffic since your dns server will still have the answer in its memory. 
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4.13. example: caching only with forwarder 


5. Add the public Google dns server as a forwarder. The ip address of this server is 8.8.8.8 . 


Before the change: 


root@debian7:~# grep -A2 'forwarders (' /etc/bind/named.conf.options 
// forwarders { 
// OR (0.5 (0) (0) 
7/2035 


changing: 
root@debian7:~# vi /etc/bind/named.conf.options 


After the change: 


root@debian7:~# grep -A2 'forwarders (' /etc/bind/named.conf.options 
forwarders { 
SESS 
}; 


Restart the server: 


root@debian7:~# service bind9 restart 
Stopping domain name service...: bind9. 
Starting domain name service...: bind9. 


6. Explain the purpose of adding the forwarder. What is our dns server doing when it 
receives a query ? 


root@debian7:~# nslookup 

> server 

Default server: 10.104.33.30 
Address: 10.104.33.30#53 

> linux-training.be 

Server: Om LOA So 30 
Address: 10.104.33.30#53 


Non-authoritative answer: 
Name: linux-training.be 
Address: 188.93.155.87 

> 


This is the output of tcpdump udp port 53 while executing the above query for linux- 
training.be in nslookup. 


root@debian7:~# tcpdump udp port 53 
tcpdump: verbose output suppressed, us v or -vv for full protocol decode 
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 


You should find the following two lines in the output of tepdump: 


10.104.33.30.19381 > google-public-dns-a.google.com.domain: 18237+% [lau] A? \ 
linux-training.be. (46) 

google-public-dns-a.google.com.domain > 10.104.33.30.19381: 18237 1/0/1 A 188\ 
HOSS Oro, (62 
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Below is an (old) wireshark screenshot that can help, you should see something similar (but 
with different ip addresses). 


Fite v [espression. [cen apy] 


No. - Time Source Destination Protocol Info 
278 13.741725 192.168.1.37 192.168.1.1 DNS Standard query A cobbaut.be 


» Frame 278 (81 bytes on wire, 81 bytes captured) 


b Ethernet II, Src: 8c:7b:9d:d6:df:f2 (8c:7b:9d:d6:df:f2), Dst: ZygateCo aa:68:f0 (00:02:cf:aa:68 
P Internet Protocol, Src: 192.168.1.37 (192.168.1.37), Dst: 192.168.1.1 (192.168.1.1) 
ò User Datagram Protocol, Src Port: 44677 (44677), Dst Port: domain (53) 
v Domain Name System (query) 
Transaction ID: 0xf488 
P Flags: 0x0100 (Standard query) 
Questions: 1 
Answer RRs: 0 
Authority RRs: 0 
Additional RRs: 1 
Queries 
P cobbaut.be: type A, class IN 
P Additional records 


7. What happens when you query for the same domain name more than once ? 
8. Why does it say "non-authoritative answer" ? When is a dns server authoritative ? 


9. You can also use dig instead of nslookup. 
root@debian7:~# dig @10.104.33.30 linux-training.be +short 


ESOS d 55 97 
root@debian7:-# 


10. How can we avoid having to set the server in dig or nslookup ? 


Change this: 
root@debian7:~# cat /etc/resolv.conf 


nameserver 10.46.101.1 
root@debian7:-# 


into this: 
root@debian7:~# cat /etc/resolv.conf 


nameserver 10.104.33.30 
root@debian7:-# 


11. When you use dig for the first time for a domain, where is the answer coming from ? 
And the second time ? How can you tell ? 
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4.14. example: primary authoritative server 


1. Instead of only cachng the information from other servers, we will now make our server 
authoritative for our own domain. 


2. I choose the top level domain .local and the domain paul.local and put the information 
in /etc/bind/named.conf.local. 


root@debian7:~# cat /etc/bind/named.conf.local 
"A 
// Do any local configuration here 


// 


// Consider adding the 1918 zones here, if they are not used in your 
// organization 
//include "/etc/bind/zones.rfc1918"; 


zone "paul.local" IN { 
type master; 
file: “/etc/bind/db.paul. local"; 
allow-update { none; }; 


}; 


3. Also add a zone database file, similar to this one (add some A records for testing). Set 
the Refresh and Retry values not too high so you can sniff this traffic (this example makes 
the slave server contact the master every hour). 


root@debian7:~# cat /etc/bind/db.paul.local 
; zone for classroom teaching 
STTL 86400 


@ IN SOA debianpaul.paul.local. root.paul.local ( 
2014100101 ; Serial 
1h ; Refresh 
1h ; Retry 
2h ; Expire 
900 ) ; Negative Cache TTL 


; name servers 


IN NS nsi 

IN NS debianpaul 

IN NS debian7 
; Servers 
debianpaul IN A 107104785730 
debian7 IN A HOR 104.3330 
nsl IN A 10.104.33.30 
¡WWW IN A HOP MOA 330 


root@debian7:-# 


Note that the www record is commented out, so it will not resolve. 
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4.14.1. using your own DNS server 


If you are confident that your dns server works, then set it as default and only dns server 
in /etc/resolv.conf. 


root@debian7:~# cat /etc/resolv.conf 
nameserver 10.104.33.30 
root@debian7:-# 


In case you also use dhclient, you will need to add your dns server to /etc/dhcp/ 
dhclient.conf. 


root@debian7:~# diff /etc/dhcp/dhclient.conf /etc/dhcp/dhclient.conf.original 
Bale Zee 
< prepend domain-name-servers 10.104.33.30; 


> #prepend domain-name-servers 127.0.0.1; 


23, 24623 

« $ domain-name, domain-name-servers, domain-search, host-name, 
= domain-name, domain-search, host-name, 

> domain-name, domain-name-servers, domain-search, host-name, 


root@debian7:-# 


The above screenshot shows that 10.104.33.30 is now a default option that the dhcp client 
should no longer request from the dhcp server. 


Adjust /etc/hosts to reflect your domain name and verify with hostname and 
dnsdomainname. 


root@debian7:~# grep debian7 /etc/hosts 
127.0.1.1 debian7.paul.local debian7 
root@debian7:~# hostname 

debian7 

root@debian7:~# hostname --fqdn 
debian7.paul.local 

root@debian7:~# dnsdomainname 
paul.local 
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4.14.2. using your own domain 


Consider the following screenshot: 


root@debian7b:~# cat /etc/resolv.conf 

nameserver 10.104.33.30 

root@debian7b:~# ping -c1 www 

ping: unknown host www 

root@debian7b:~# vi /etc/resolv.conf 

root@debian7b:~# cat /etc/resolv.conf 

nameserver 10.104.33.30 

domain paul.local 

root@debian7b:~# ping -c1 www 

PING www.paul.local (10.104.33.31) 56(84) bytes of data. 
64 bytes from 10.104.33.31: icmp req-1 tt1=64 time-0.021 ms 


= Www Dall. local ping statistics — 

1 packets transmitted, 1 received, 0% packet loss, time Oms 
rtt min/avg/max/mdev = 0.021/0.021/0.021/0.000 ms 
root@debian7b: ~# 


Adding the domain paul.local directive to /etc/resolv.conf allows omitting the domain 
when using hostnames. 


You can accomplish this feature automatically by adjusting dhclient.conf. 


root@debian7:~# grep paul.local /etc/dhcp/dhclient.conf 
prepend domain-name "paul.local"; 

prepend domain-search "paul.local"; 

root @debian7:~# 
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4. Restart the DNS server and check your zone in the error log. 


root@debian7:~# service bind9 restart 

Stopping domain name service...: bind9. 

Starting domain name service...: bind9. 

root@debian7:~# grep paul.local /var/log/syslog 

Oct 6 09:22:18 debian7 named[2707]: zone paul.local/IN: loaded seria\ 
1 2014100101 

Oct 6 09:22:18 debian7 named[2707]: zone paul.local/IN: sending noti\ 
fies (serial 2014100101) 


5. Use dig or nslookup (or even ping) to test your A records. 


root@debian7:~# ping -c1 nsl.paul.local 
PING nsl.paul.local (10.104.33.30) 56(84) bytes of data. 
64 bytes from 10.104.33.30: icmp req-1 tt1=64 time=0.006 ms 


=> nisi paul Local ping statistics > 

1 packets transmitted, 1 received, 0% packet loss, time Oms 
rtt min/avg/max/mdev = 0.006/0.006/0.006/0.000 ms 
root@debian7:~# ping -c1 www.paul.local 

ping: unknown host www.paul.local 


Note that the www record was commented out, so it should fail. 
root@debian7:~# dig debian7.paul.local 


7 <<>> DIG 9,8.4=rpz2+r1005. U2=BUÚ <<>> debian? -paul. local 

i; global options: rema 

7; Got answer: 

7; —>>HEADER<<- opcode: QUERY, status: NOERROR, id: 50491 

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2 


;; QUESTION SECTION: 
;debian7.paul.local. IN A 


;; ANSWER SECTION: 
debian7.paul.local. 86400 IN A TOS OA see 30 


;; AUTHORITY SECTION: 


paul. local. 86400 IN NS nsi paul local: 
paul. local: 86400 IN NS debian7.paul.local. 
paul. local. 86400 IN NS debianpaul.paul.local. 


;; ADDITIONAL SECTION: 
nisdepaudeocale 86400 IN A 10.104.33.30 
debianpaul.paul.local. 86400 IN A 10.104.33.30 


;; Query time: 4 msec 

77 SERVER: OO SS. 30F53(10: T0433: 30) 
7 WHEN: Mon Oct 6 09:35:25 2014 

77 MSG SIZE revad; 141 


root@debian7:-# 


6. Our primary server appears to be up and running. Note the information here: 


server os : Debian 7 

ip address 7 205104. 939.30 
domain name: paul.local 
server name: nsl.paul.local 


84 


introduction to DNS 


4.15. example: a DNS slave server 


1. A slave server transfers zone information over the network from a master server (a slave 
can also be a master). A primary server maintains zone records in its local file system. As 
an exercise, and to verify the work of all students, set up a slave server of all the master 
servers in the classroom. 


2. Before configuring the slave server, we may have to allow transfers from our zone to this 
server. Remember that this is not very secure since transfers are in clear text and limited to 
an ip address. This example follows our demo from above. 


Imagine a student named Jesse having completed the setup as shown before, with the domain 
name jesse.local and the ip address 10.104.15.20. The goal is to have a slave server of 
paul.local on Jesse's computer and a slave zone of jesse.local on my computer. 


Below is an example of an allow-transfer statement. Careful, maybe the default allows 
transfer to any. 


root@debian7:/etc/bind# cat named.conf.local 
17 
// Do any local configuration here 


// 


// Consider adding the 1918 zones here, if they are not used in your 
// organization 
//include "/etc/bind/zones.rfc1918"; 


zone "paul.local" IN { 
type master; 
file: "/etc/bind/db.paul.local"'; 
allow-update { none; }; 
allow-transfer { 10.104.15.20; Jj; 
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3. With the configuration below I can make my server a slave for the jesse.local zone. 


root@debian7:/etc/bind# tail -6 named.conf.local 
zone "jesse.local" IN { 
type slave; 
file "/var/cache/named/db.jesse.local"; 
masters { 10.104.15.20; ); 
}; 


root@debian7:/etc/bind# mkdir /var/cache/named/ 
root@debian7:/etc/bind# chown bind:bind /var/cache/named/ 
root@debian7:/etc/bind# ls -ld /var/cache/named/ 
drwxr-xr-x 2 bind bind 4096 Oct 1 20:01 /var/cache/named/ 


Note that we put the slave zones in /var/cache/named and not in /etc/bind. 


4. Restarting bind on the slave server should transfer the zone database file. Verify this in / 
var/log/syslog. (time and date are truncated from the screenshot, and Jesse did not use the 
current date in the serial number...) 


root@debian7:/etc/bind# grep jesse /var/log/syslog 

named[2731]: zone jesse.local/IN: Transfer started. 

named[2731]: transfer of 'jesse.local/IN' from 10.104.15.20#53: connected ul 
sing 10.104.33.30#44719 

named[2731]: zone jesse.local/IN: transferred serial 20110516 

named[2731]: transfer of 'jesse.local/IN' from 10.104.15.20#53: Transfer co^ 
mpleted: 1 messages, 8 records, 239 bytes, 0.001 secs (239000 bytes/sec) 


And the contents of the slave zone: 


root@debian7:/etc/bind# cat /var/cache/named/db.jesse.local 


SORIGIN 
STTL 604800 ; 1 week 
jesse.local IN SOA ns.jesse.local. root.jesse.local.jesse.local. ( 
20110516 ; serial 
300 ; refresh (5 minutes) 
200 ; retry (3 minutes 20 seconds) 
2419200 ; expire (4 weeks) 
604800 ; minimum (1 week) 
) 
NS ns.jesse.local. 
SORIGIN jesse.local. 
anya A TOF ROA aS eel 
mac A TOT LOAN 5530 
ns A Oe LOAL T5720 
ubu1010srv A DO MO4 41520 
WWW A O CO4 T5: 25 


root@debian7:/etc/bind# 
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4.16. practice: dns 


1. Install bind9 and verify with a sniffer how it works. 
2. Add a forwarder and verify that it works. 


3. Create a primary forward lookup zone named yourname.local with at least two NS 
records and four A records. 


4. Use dig and nslookup to verify your NS and A records. 
5. Create a slave of your primary zone (on another server) and verify the zone transfer. 


6. Set up two primary zones on two servers and implement a conditional forwarder (you 
can use the two servers from before). 
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4.17. solution: dns 


1. Install bind9 and verify with a sniffer how it works. 


You should see queries to the root name servers with tcpdump or wireshark. 


2. Add a forwarder and verify that it works. 


The forwarder van be added in named.conf.options as seen in the theory. 


3. Create a primary forward lookup zone named yourname.local with at least two NS 
records and four A records. 


This is literally explained in the theory. 


4. Use dig and nslookup to verify your NS and A records. 


This is literally explained in the theory. 


5. Create a slave of your primary zone (on another server) and verify the zone transfer. 


This is literally explained in the theory. 


6. Set up two primary zones on two servers and implement a conditional forwarder (you 
can use the two servers from before). 


A conditional forwarder is set in named.conf.local as a zone. 
(see the theory on forwarder) 
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Chapter 5. advanced DNS 


This chapter expands your DNS server with topics like round robin dns for load balancing 
servers, dns delegation to delegate child domains to another team and split horizon dns so 
you can provide local service locations to clients. 


There is more to dns, content will be added rsn. 
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5.1. example: DNS round robin 


When you create multiple A records for the same name, then bind will do a round robin of 
the order in which the records are returned. This allows the use of DNS as a load balancer 
between hosts, since clients will usually take the first ip-address offered. 


Consider this example from the /etc/bind/db.paul.local zone configuration file. There are 
two A records for www pointing to two distinct ip addresses. 


root@debian7:~# grep www /etc/bind/db.paul.local 
WWW IN A LOFTS 90 
WWW IN A 10.104.33.31 


Below a screenshot of nslookup querying a load balanced A record. Notice the order of ip 
addresses returned. 


root@debian7:~# nslookup www.paul.local 10.104.33.30 
Server: 1071042337730 
Address: 10.104.33.30#53 


Name: www.paul.local 
Address: 10.104.33.31 
Name: www.paul.local 
Address: 10.104.33.30 


root@debian7:~# nslookup www.paul.local 10.104.33.30 
Server: dou) 99:9/0 
Address: 10 104.33). 30753 


Name: www.paul.local 
Address: 10.104.33.30 
Name: www.paul.local 
Address: 10.104.33.31 


Try to set up a website on two web servers (with a small difference so you can distinguish 
the websites) and test the round robin. 


90 


advanced DNS 


5.2. DNS delegation 


You can delegate a child domain to another DNS server. The child domain then becomes 
a new zone, with authority at the new dns server. 


"linux-training.be" 
has authority over © 
` 


WA a | ^ 

» "test.linux-training.be" 
5 has authority over 

| Ww 


When delegation is properly set up, then clients that query your parent zone will also be 
able to resolve the delegated child zones. 
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5.3. example: DNS delegation 


We have another Linux server named debian7b and we want to make it responsible for the 
child domain test42.paul.local. 


Note the name of the servers in the screenshots are either debian7 (hosting the parent 
domain) or debian7b (hosting the child domain). 


We start by adjusting the /etc/bind/named.comf.local file (on the server hosting the parent 
domain) to make sure that no forwarder will be used when resolving authoritative names. 


root@debian7:~# grep -A4 paul.local /etc/bind/named.conf.local 
zone "paul.local" IN ( 
type master; 
file "/etc/bind/db.paul.local"; 
allow-update { none; }; 
allow-transfer { 10.104.15.20; Jj; 
forwarders ( }; 
}; 
root@debian7:-# 


Technically, you could also set allow-transfer to { any; }; while troubleshooting and then 
refine it later, but this is not needed for delegation. 


Then we add the delegation to our zone database: 


root@debian7:~# tail -3 /etc/bind/db.paul.local 

SORIGIN test42.paul.local. 

@ IN NS ns2.test42.paul.local. 

ns2 IN A 10,104. 33-31 ; the glue record 
root@debian7:-# 


Don't forget to restart bind and verify /var/log/syslog. 


root@debian7:~# service bind9 restart 

Stopping domain name service...: bind9. 

Starting domain name service...: bind9. 

root@debian7:~# grep paul.local /var/log/syslog | cut -c28- | tail -2 
named[3202]: zone paul.local/IN: loaded serial 2014100801 
named[3202]: zone paul.local/IN: sending notifies (serial 2014100801) 
root @debian7:~# 


Note that on your terminal you can type tail -40 /var/log/syslog because the only reason I 
use grep, cut and tail -2 is to limit the size of the screenshots in this book. 
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Next we create a zone database file on the second server, as seen in this screenshot: 


root@debian7b:~# cat /etc/bind/db.test42.paul.local 
; child zone for classroom teaching 

STTL 86400 

SORIGIN test42.paul.local. 


@ IN SOA ns2.test42.paul.local. root.test42.paul.local. ( 
2014100802 ; Serial 
ih ; Refresh 
hy 7 Retry 
2h ; Expire 
900 ) ; Negative Cache TTL 


; name servers 


IN NS ns2.test42.paul.local. 

IN NS debian7b.test42.paul.local. 
; 
; Servers 
; 
ns2 IN A 10:104. 33. 31 
debian7b IN A TOO Sec 


testsrv IN A dues SES 
root@debian7b: ~# 


The second server also needs a zone definition in named.conf.local, followed by a restart 
of bind. 


root@debian7b:~# cat /etc/bind/named.conf.local 
Hi 
// Do any local configuration here 


// 


// Consider adding the 1918 zones here, if they are not used in your 
// organization 
//include "/etc/bind/zones.rfc1918"; 


zone "test42.paul.local" IN { 
type master; 
file “/etc/bind/db.test42 paul local"; 
allow-update { none; }; 
allow-transfer { any; ); 
}; 
root@debian7b:-# 


Testing on the parent server: 


root@debian7:~# dig nsl.paul.local +short 
10.104.33.30 

root@debian7:~# dig ns2.test42.paul.local +short 
MOMO SIS ios 

root@debian7:~# dig debian7b.test42.paul.local +short 
1010423331 
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5.4. example: split-horizon dns 


Suppose you want to answer dns queries depending on who is asking. For example 
when someone from the 10.104.15.0/24 network (managed by Jesse) asks for the A 
record www.paul.local, then dns answers with 10.104.33.30. But when someone from the 
10.104.42.0/24 network (managed by Keith) asks for the same A record of www.paul.local, 
he will get 10.104.33.31 as an answer. 


A split-horizon setup can be used to redirect people to local copies of certain services. 


In this example we want to decide on specific answers for two networks (Jesse's and Keith's) 
and prevent them from using our dns server for recursion, while maintaining the capability 
to resolve the internet and our paul.local zone from our own network. 


We start by creating three view clauses in named.conf.local. 


root@debian7:/etc/bind# cat named.conf.local 
view "paul" ( 
match-clients ( 10.104.33.0; localhost; }; 
include "/etc/bind/named.conf.default-zones"; 
zone "paul.local" IN { 

type master; 

file W/etc/bimd/ db. paul: locali; 

allow-update { none; ); 

y; 


}; // end view internal 


view "jesse" ( 
match-clients { 10.104.15/24; ); 
zone "paul.local" IN { 
type master; 
file "/etc/bind/db.paul.local.jesse"; 
allow-update { none; }; 
}; 


yr // end view jesse 


view "keith" ( 
match-clients ( 10.104.42/24; ); 
zone "paul.local" IN { 
type mester; 
file "/etc/bind/db.paul.local.keith"; 
allow-update { none; }; 
}; 
}; // end view keith 


Note that we included the default-zones in the internal zone. It is mandatory to put all zones 
inside views when using a view. 


The zone files are identical copies, except for the www record. You can see that the 
round robin is still active for internal users, computers from 10.104.15.0/24 (Jesse) will 
always receive 10.104.33.30 while computers from 10.104.42.0/24 (Keith) will receive 
10.104.33.31. 


root@debian7:/etc/bind# grep www db.paul.local db.paul.local.[jk]* 


db.paul.local:www IN A 10.104.33.30 
db.paul.local:www IN A dA SS SI 
db.paul.local.jesse:www IN A dc 99:90 
db.paul.local.keith:www IN A 10.104.33.31 
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5.5. old dns topics 


All the dns things below this paragraph are old and in urgent need of review. 
5.5.1. old example: reverse DNS 


1. We can add ip to name resolution to our dns-server using a reverse dns zone. 


2. Start by adding a .arpa zone to /etc/bind/named.conf.local like this (we set notify to no to 
avoid sending of notify messages to other name servers): 


root@ubul010srv:/etc/bind# grep -A4 arpa named.conf.local 
zone soo Oe in-addr. arpa" { 

type master; 

NOLI hy no; 

file "/etc/bind/db.192"; 

}; 


3. Also create a zone database file for this reverse lookup zone. 


root@ubul010srv:/etc/bind# cat db.192 


; BIND reverse data file for 192.168.1.0/24 network 


LA 
STTL 604800 
@ IN SOA ns.cobbaut.paul root.cobbaut.paul. ( 
20110516 ; Serial 
604800 ; Refresh 
86400 ; Retry 
2419200 ; Expire 
604800 ) ; Negative Cache TTL 
; 
@ IN NS ns. 
37 IN PTR ns.cobbaut.paul. 
1 IN PTR anya.cobbaut.paul. 
30 IN PTR mac.cobbaut.paul. 
root @ubul1010srv:/etc/bind# 


4. Test with nslookup or dig: 


root@ubu1010srv:/etc/bind# dig 1.168.192.in-addr.arpa AXFR 
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5.5.2. old DNS load balancing 


Not as above. When you have more than one DNS server authoritative for a zone, you can 
spread queries amongst all server. One way to do this is by creating NS records for all servers 
that participate in the load balancing of external queries. 


You could also configure different name servers on internal clients. 
5.5.3. old DNS notify 


The original design of DNS in rfc 1034 and rfc 1035 implemented a refresh time in the 
SOA record to configure a time loop for slaves to query their master server. This can result 
in a lot of useless pull requests, or in a significant lag between updates. 


For this reason dns notify (rfc 1996) was designed. The server will now notify slaves 
whenever there is an update. By default this feature is activated in bind. 


Notify can be disabled as in this screenshot. 


zone "1.168.192.in>adar.arpa" { 
type master; 
notify no; 
file "/etc/bind/db.192"; 
}; 


5.5.4. old testing IXFR and AXFR 


Full zone transfers (AXFR) are initiated when you restart the bind server, or when you 
manually update the zone database file directly. With nsupdate you can update a zone 
database and initiate an incremental zone transfer. 


You need DDNS allowed for nsupdate to work. 


root@ubu1010srv:/etc/bind# nsupdate 

> server 127.0.0.1 

> update add macl4.linux-training.be 86400 A 192.168.1.23 
> send 

update failed: REFUSED 


5.5.5. old DDNS integration with DHCP 


Some organizations like to have all their client computers in DNS. This can be cumbersome 
to maintain. Luckily rfc 2136 describes integration of DHCP servers with a DNS server. 
Whenever DHCP acknowledges a client ip configuration, it can notify DNS with this clients 
ip-address and name. This is called dynamic updates or DDNS. 


5.5.6. old reverse is forward in-addr.arpa 


Reverse lookup is actually iomplemented as a forward lookup in the in-addr.arpa domain. 
This domain has 256 child domains (from 0.in-addr.arpa to 255.in-addr.arpa), with each 
child domain having again 256 child domains. And this twice more to a structure of over 
four billion (2 to the power 32) domains. 
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5.5.7. old ipv6 


With rfc 3596 came ipv6 extensions for DNS. There is the AAAA record for ipv6 hosts on 
the network, and there is the ip6.int domain for reverse lookup (having 16 child domains 
from 0.ip6.int to f.ip6.int, each of those having again 16 child domains...and this 16 times. 


5.5.8. old DNS security: file corruption 


To mitigate file corruption on the zone files and the bind configuration files protect them 
with Unix permissions and take regular backups. 


5.5.9. old DNS security: zone transfers 


Limit zone transfers to certain ip addresses instead of to any. Nevermind that ip-addresses 
can be spoofed, still use this. 


5.5.10. old DNS security: zone transfers, ip spoofing 


You could setup DNSSEC (which is not the easiest to maintain) and with rfc 2845(tsig?) and 
with rfc 2930(tkey, but this is open to brute force), or you could disable all zone transfers 
and use a script with ssh to copy them manually. 


5.5.11. old DNS security: queries 
Allow recursion only from the local network, and iterative queries from outside only when 
necessary. This can be configured on master and slave servers. 
view "internal" { 
match-clients { 192.168.42/24; }; 
recursion yes; 
}; 
view "external" { 
match-clients { any; }; 
recursion no; 
}; 
Or allow only queries from the local network. 
options { 
allow- query { 192.168.42.0/24; localhost; }; 
}; 
zone "cobbaut.paul" { 
allow-query { any; }; 
y; 
Or only allow recursive queries from internal clients. 


options ( 
allow-recursion { 192.168.42.0/24; localhost; ); 
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}; 
5.5.12. old DNS security: chrooted bind 
Most Linux distributions allow an easy setup of bind in a chrooted environment. 


5.5.13. old DNS security: DNSSEC 


DNSSEC uses public/private keys to secure communications, this is described in rfc's 4033, 
4034 and 4035. 


5.5.14. old DNS security: root 


Do not run bind as root. Do not run any application daemon as root. 
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Chapter 6. introduction to dhcp 


Dynamic Host Configuration Protocol (or short dhcp) is a standard tcp/ip protocol that 
distributes ip configurations to clients. dhep is defined in rfc 2131 (before that it was defined 
as an update to bootp in rfc 1531/1541. 


The alternative to dhcp is manually entering the ip configuration on each client computer. 
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6.1. four broadcasts 


dhcp works with layer 2 broadcasts. A dhcp client that starts, will send a dhep discover 
on the network. All dhcp servers (that have a lease available) will respond with a dhcp 
offer. The client will choose one of those offers and will send a dhcp request containing 
the chosen offer. The dhcp server usually responds with a dhep ack(knowledge). 


In wireshark it looks like this. 
File Edit View Go Capture Analyze Statistics Telephony Tools Help 


gasagée  xCSe _e¢o2F SBS FI 


|v | Expression... | Clear | Apply 


< 


No. . Time Source Destination Protocol Info A 


40387 1687.653918 192.168.1.200 255.255.255.255 DHCP DHCP ACK - Transac ~ 


CLZICNTC IT UUU!lvt33. U.U.U.U U.U. U. UT n 
Your (client) IP address: 192.168.1.158 (192.168.1.158) 
Next server IP address: 0.0.0.0 (0.0.0.0) 
Relay agent IP address: 0.0.0.0 (0.0.0.0) 
Client MAC address: CadmusCo 5e:38:76 (08:00:27:5e:38:76) 
Client hardware address padding: 00000000000000000000 
Server host name not given 
Boot file name not given 
Magic cookie: (OK) 

b Option: (t-53,l-1) DHCP Message Type - DHCP ACK 

b Option: (t-54,1-4) DHCP Server Identifier = 192.168.1.200 

b Option: (t=51,1=4) IP Address Lease Time = 6 hours 

b Option: (t-81,1-24) Client Fully Qualified Domain Name 

b Option: (t=1,1=4) Subnet Mask = 255.255.255.0 

b Option: (t-15,1-15) Domain Name = "classdemo. local" 

, : (t=3,1=4) Router = 192.168.1.1 

b 


Option: (t-6,1-4) Domain Name Server = 192.168.1.1 


End Option ~ 
120 a8 Ol c8 33 04 OO OÙ 54 68 51 18 03 02 02 77 32  ...3...| SOU. A 
0130 30 30 33 2e 63 6c 61 73 73 64 65 6d 6f 2e 6c 6f 003.clas sdemo.lo 
(0140 63 61 6c 01 04 ff ff ff 00 Of Of 63 6c 61 73 73  cal..... ... class 
(0150 64 65 6d 6f 2e 6c 6f 63 61 6c demo.loc al EE 
0160 06 04 ce a8 Əl Əl ff kn ee ee ] 


O Text item (), 6 bytes Packets: 42437 Displayed: 93 Marked: 0 - Profile: Default 


When this procedure is finished, then the client is allowed to use that ip-configuration until 
the end of its lease time. 
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6.2. picturing dhcp 


Here we have a small network with two dhcp servers named DHCP-SRV1 and DHCP- 
SRV2 and two clients (SunWS1 and Mac42). All computers are connected by a hub or switch 


(pictured in the middle). All four computers have a cable to the hub (cables not pictured). 


DHCP-SRV1 
192.168.1.200 
scope 192.168.1.20-199 


A 


+ SUNWS1 
192.168.1.20 


DHCP-SRV2 
192.168.1.201 
scope 192.168.1.220-249 


Mac42 
192.168.1.21 


1. The client SunWS1 sends a dhcp discover on the network. All computers receive this 
broadcast. 


2. Both dhcp servers answer with a dhcp offer. DHCP-SRV1 is a dedicated dhcp server 
and is faster in sending a dhcp offer than DHCP-SRV2 (who happens to also be a file server). 


3. The client chooses the offer from DHCP-SRV 1 and sends a dhcp request on the network. 
4. DHCP-SRV1 answers with a dhcp ack (short for acknowledge). 


All four broadcasts (or five when you count both offers) can be layer 2 ethernet broadcast 
to mac address ff:ff:ff:ff:ff:ff and a layer 3 ip broadcast to 255.255.255.255. 


The same story can be read in rfc 2131. 
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6.3. installing a dhcp server 


dhcp server for Debian/Mint 


debian5:~# aptitude install dhcp3-server 


Reading package lists... Done 
Building dependency tree 

Reading state information... Done 
Reading extended state information 
Initializing package states... Done 
Reading task descriptions... Done 


The following NEW packages will be installed: 
dhcp3-server 


You get a configuration file with many examples. 


debian5:~# ls -1 /etc/dhcp3/dhcpd.conf 
-rw-r--r-- 1 root root 3551 2011-04-10 21:23 /etc/dhcp3/dhcpd.conf 


6.4. dhcp server for RHEL/CentOS 


Installing is easy with yum. 


[root@rhel71 ~]# yum install dhcp 

Loaded plugins: product-id, subscription-manager 

Resolving Dependencies 

--» Running transaction check 

---» Package dhcp.x86 64 12:4.2.5-36.e17 will be installed 
--» Finished Dependency Resolution 


Dependencies Resolved 


Package Arch Version Repository Size 
Installing: 
dhcp x86 64 AA 5-56 sed rhel-7-server-rpms 510 k 


Transaction Summary 


Install 1 Package 


Total download size: 510 k 

Installed size: 1.4 M 

Is this ok [y/d/N]: y 

Downloading packages: 

dhcp-4.2.5-36.e17.x86_64.rpm | 510 KB 00:01 
Running transaction check 

Running transaction test 

Transaction test succeeded 

Running transaction 


Installing : 12:dhcp-4.2.5-36.e17.x86 64 JL 
Verifying : 12:dhcp-4.2.5-36.e17.x86 64 aL iL 
Installed: 


ACP xg6 6424.2536 e17 


Complete! 
[root@rhel71 ~]# 


After installing we get a /etc/dhcp/dhcpd.conf that points us to an example file named 
dhcpd.conf.sample. 
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rootürhel71 ~]# cat /etc/dhcp/dhcpd.conf 


[ 
# 
# DHCP Server Configuration file. 

# see /usr/share/doc/dhcp*/dhcpd.conf.example 
# see dhcpd.conf(5) man page 

# 

[ 


root@rhel71 ~]# 


So we copy the sample and adjust it for our real situation. We name the copy /etc/dhcp/ 
dhcpd.conf. 


[root@rhel71 -]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcp\ 
d.conf 

[root@rhel71 -]# vi /etc/dhcp/dhcpd.conf 

[root@rhel71 -]# cat /etc/dhcp/dhcpd.conf 

option domain-name "linux-training.be"; 

option domain-name-servers 10.42.42.42; 

default-lease-time 600; 

max-lease-time 7200; 

Too taculimteytloc al 


subnet 10.42.0.0 netmask 255.255.0.0 ( 
range 10.42.200. 1L T0 427200 297 
option routers 10.42.200. 1; 


} 
[root@rhel71 ~]# 


The 'routers' option is valid for the subnet alone, whereas the 'domain-name' option is global 
(for all subnets). 


Time to start the server. Remember to use systemctl start dhcpd on RHEL7/CentOS7 and 
service dhcpd start on previous versions of RHEL/CentOS. 


[root@rhel71 ~]# systemctl start dhcpd 
[root@rhel71 ~]# 


6.5. client reservations 


You can reserve an ip configuration for a client using the mac address. 


host pc42 { 

hardware ethernet 11:22:33:44:55:66; 
fixed-address 192.168.42.42; 

} 


You can add individual options to this reservation. 
host pelz q 

hardware ethernet 11:22:33:44:55:66; 
fixed-address 192.168.42.42}; 

option domain-name "linux-training.be"; 
option routers 192.168.42.1; 

) 


6.6. example config files 


Below you see several sections of /etc/dhcp/dhcpd.conf on a Debian 6 server. 


# NetSec Antwerp Network 
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subnet 192.168.1.0 netmask 255.255.255.0 { 
range 192.168.11.20 T92. MS T7 1997 

option domain-name-servers nsl.netsec.local; 
option domain-name "netsec.local"; 

option routers 192 1659-1107 

option broadcast-address 192.168.1.255; 
default-lease-time 7200; 

max-lease-time 7200; 


Above the general configuration for the network, with a pool of 180 addresses. 


Below two client reservations: 


# 
# laptops 
# 


host mac { 
hardware ethernet 00:26:bb:xx:xx:xx; 
fixed-address mac.netsec.local; 


host vmac { 
hardware ethernet 8c:7b:9d:xx:xx:xx; 
fixed-address vmac.netsec.local; 


6.7. older example config files 


For dhcpd.conf on Fedora with dynamic updates for a DNS domain. 


[root@fedoral4 ~]# cat /etc/dhcp/dhcpd.conf 
authoritative; 
include "/etc/rndc.key"; 


log- -facility local6; 


server-identifier fedoral4; 
ddns-domainname  "office.linux-training.be"; 
ddns-update-style interim; 

ddns-updates on; 

update-static-leases on; 


option domain-name "office.linux-training.be"; 
option domain-name-servers 192.168.42.100; 


option ip-forwarding off; 


default-lease-time 1800; 
max-lease-time 3600; 


zone office.linux-training.be { 

primary 192. 1607421007 

) 

subnet 192.168.4.0 netmask 255.255.255.0 { 


range 92% 168% 4024) DoS 4.407 
} 


Allowing any updates in the zone database (part of the named.conf configuration) 


zone "office.linux-training.be" { 
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type master; 

file "/var/named/db.office.linux-training.be"; 
allow-transfer { any; }; 

allow-update { any; }; 

}; 


Allowing secure key updates in the zone database (part of the named.conf configuration) 


zone "office.linux-training.be" { 

type master; 

file "/var/named/db.office.linux-training.be"; 
allow-transfer { any; }; 

allow-update { key mykey; }; 

}; 


Sample key file contents: 
[root@fedoral4 ~]# cat /etc/rndc.key 
key "rndc-key" ( 
algorithm hmac-md5; 
secret "4Ykd58uleUr3Ve6adlqTfQ--"; 
}; 
Generate your own keys with dnssec-keygen. 


How to include a key in a config file: 


include "/etc/bind/rndc.key"; 


Also make sure that bind can write to your db.zone file (using chmod/chown). For Ubuntu 
this can be in /etc/bind, for Fedora in /var/named. 
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6.8. advanced dhcp 
6.8.1. 80/20 rule 


DHCP servers should not be a single point of failure. Let us discuss redundant dhcp server 
setups. 


6.8.2. relay agent 
To avoid having to place a dhcp server on every segment, we can use dhcp relay agents. 
6.8.3. rogue dhcp servers 


Rogue dhcp servers are a problem without a solution. For example accidental connection of 
a (believed to be simple) hub/switch to a network with an internal dhcp server. 


6.8.4. dhcp and ddns 


DHCP can dynamically update DNS when it configures a client computer. DDNS can be 
used with or without secure keys. 


When set up properly records can be added automaticall to the zone file: 
root@fedoral4~# tail -2 /var/named/db.office.linux-training.be 


ubul010srv A 192. 16842.1151 
TXT "00dfbbl5el44a273c3cf2d6ae933885782" 
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6.9. Practice: dhcp 


1. Make sure you have a unique fixed ip address for your DNS and DHCP server (easier 
on the same machine). 


2. Install DHCP and browse the explanation in the default configuration file /etc/dhcp/ 
dhcpd.conf or /etc/dhcp3/dhcpd.conf. 


3. Decide on a valid scope and activate it. 
4. Test with a client that your DHCP server works. 


5. Use wireshark to capture the four broadcasts when a client receives an 1p (for the first 
time). 


6. Use wireshark to capture a DHCPNAK and a DHCPrelease. 
7. Reserve a configuration for a particular client (using mac address). 


8. Configure your DHCP/DNS server(s) with a proper hostname and domainname (/etc/ 
hosts, /etc/hostname, /etc/sysconfig/network on Fedora/RHEL, /etc/resolv.conf ...). You 
may need to disable NetworkManager on *buntu-desktops. 


9. Make sure your DNS server still works, and is master over (at least) one domain. 


There are several ways to do steps 10-11-12. Google is your friend in exploring DDNS with 
keys, with key-files or without keys. 


10. Configure your DNS server to allow dynamic updates from your DHCP server. 
11. Configure your DHCP server to send dynamic updates to your DNS server. 


12. Test the working of Dynamic DNS. 


110 


Part V. iptables firewall 


Table of Contents 


"Buo———————————— 113 
VEN GU AL "—————————————————— 114 
7:2: packet forwardIng ss e te tette e GE RERO M BER ERN tes eines 114 
7:3: packet Elton RE UIN UR do Id pletina 114 
A EE 114 
7.5. nat (network address translation) sise 115 
7.6..pat (portaddress translation)... 2 eee tente fedt n neret 115 
TT. nat (SOUrCe: Nat). a iere ecran NA 115 
1:8. 1nasquerading 3:32 oot O 115 
7:9: dnat (destination at). osa enam ala aede AR A Aah ais 115 
7.10. port A ghe cer ER REEF repre R tee 115 
7.11. /proc/sys/net/ipvA/ip forward ss 116 
1:12: Jete/sysctkcont 2. rne P d et Estate tg dE ORE 116 
EE IM ————————————————————— aed 116 
7:14. pracüce: packet forwarding... or rH tiara 117 
ARS a As AA eee mete peteret nul 119 

8: iptables Eco Lll —————————— este eue de 122 
8:1: iptables: tables viii Eee e Ati Rd RR I IERI ARR RNA 123 
8.2. starting and stopping iptables sise 123 
8:3; the filter table: e babe duced oben I ere ttes tte 124 
8.4. practice: packet- filtering soso aa ERU 129 
8:3. solütion:-pácket filtering: iman ti hehe Ie edi 130 
8.6. network address translation 0 sise 131 


112 


Chapter 7. introduction to routers 


What follows is a very brief introduction to using Linux as a router. 
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7.1. router or firewall 


A router is a device that connects two networks. A firewall is a device that besides acting 
as a router, also contains (and implements) rules to determine whether packets are allowed 
to travel from one network to another. A firewall can be configured to block access based 
on networks, hosts, protocols and ports. Firewalls can also change the contents of packets 
while forwarding them. 


router or 
firewall ? 


7.2. packet forwarding 


Packet forwarding means allowing packets to go from one network to another. When a 
multihomed host is connected to two different networks, and it allows packets to travel from 
one network to another through its two network interfaces, it is said to have enabled packet 
forwarding. 


7.3. packet filtering 


Packet filtering is very similar to packet forwarding, but every packet is individually tested 
against rules that decide on allowing or dropping the packet. The rules are stored by iptables. 


7.4. stateful 


A stateful firewall is an advancement over stateless firewalls that inspect every individual 
packet. A stateful firewall will keep a table of active connections, and is knowledgeable 
enough to recognise when new connections are part of an active session. Linux iptables is 
a stateful firewall. 
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7.5. nat (network address translation) 


A nat device is a router that is also changing the source and/or target ip-address in packets. 
It is typically used to connect multiple computers in a private address range (rfc 1918) with 
the (public) internet. A nat can hide private addresses from the internet. 


It is important to understand that people and vendors do not always use the right term when 
referring to a certain type of nat. Be sure you talk about the same thing. We can distuinguish 
several types of nat. 


7.6. pat (port address translation) 


nat often includes pat. A pat device is a router that is also changing the source and/or target 
tcp/udp port in packets. pat is Cisco terminology and is used by snat, dnat, masquerading 
and port forwarding in Linux. RFC 3022 calls it NAPT and defines the nat/pat combo as 
"traditional nat". A device sold to you as a nat-device will probably do nat and pat. 


7.7. snat (source nat) 


A snat device is changing the source ip-address when a packet passes our nat. snat 
configuration with iptables includes a fixed target source address. 


7.8. masquerading 


Masquerading is a form of snat that will hide the (private) source ip-addresses of your 
private network using a public ip-address. Masquerading is common on dynamic internet 
interfaces (broadband modem/routers). Masquerade configuration with iptables uses a 
dynamic target source address. 


7.9. dnat (destination nat) 


A dnat device is changing the destination ip-address when a packet passes our nat. 


7.10. port forwarding 


When static dnat is set up in a way that allows outside connections to enter our private 
network, then we call it port forwarding. 
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7.11. /proc/sys/net/ipv4/ip_ forward 


Whether a host is forwarding packets is defined in /proc/sys/net/ipv4/ip_forward. The 
following screenshot shows how to enable packet forwarding on Linux. 


root@router~# echo 1 > /proc/sys/net/ipv4/ip_forward 


The next command shows how to disable packet forwarding. 


root@router~# echo 0 > /proc/sys/net/ipv4/ip_forward 


Use cat to check if packet forwarding is enabled. 


root@router~# cat /proc/sys/net/ipv4/ip_forward 


7.12. /etc/sysctl.conf 


By default, most Linux computers are not configured for automatic packet forwarding. 
To enable packet forwarding whenever the system starts, change the net.ipv4.ip_forward 
variable in /etc/sysctl.conf to the value 1. 


root@router~# grep ip forward /etc/sysctl.conf 
net.ipv4.ip forward = 0 


7.13. sysctl 


For more information, take a look at the man page of sysctl. 
root@debian6~# man sysctl 


root@debian6~# sysctl -a 2>/dev/null | grep ip_forward 
net.ipv4.ip forward = 0 
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7.14. practice: packet forwarding 


0. You have the option to select (or create) an internal network when adding a network card 
in VirtualBox or VMWare. Use this option to create two internal networks. I named them 
leftnet and rightnet, but you can choose any other name. 


EP Network 


Adapter 1: Intel PRO/1000 MT Desktop (Bridged Adapter, en1: AirPort) 
Adapter 2: Intel PRO/1000 MT Desktop (Internal Network, 'leftnet') 
Adapter 3: Intel PRO/1000 MT Desktop (Internal Network, 'rightnet") 


1. Set up two Linux machines, one on leftnet, the other on rightnet. Make sure they both 
get an ip-address in the correct subnet. These two machines will be ‘left’ and 'right' from 
the 'router'. 


10.0.70.9 
Goa E 


2. Set up a third Linux computer with three network cards, one on leftnet, the other on 
rightnet. This computer will be the 'router'. Complete the table below with the relevant 
names, ip-addresses and mac-addresses. 


Table 7.1. Packet Forwarding Exercise 


leftnet computer the router rightnet computer 


MAC 
IP 


3. How can you verify whether the router will allow packet forwarding by default or not ? 
Test that you can ping from the router to the two other machines, and from those two 
machines to the router. Use arp -a to make sure you are connected with the correct mac 
addresses. 
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4. Ping from the leftnet computer to the rightnet computer. Enable and/or disable packet 
forwarding on the router and verify what happens to the ping between the two networks. If 
you do not succeed in pinging between the two networks (on different subnets), then use a 
sniffer like wireshark or tcpdump to discover the problem. 


5. Use wireshark or tcpdump -xx to answer the following questions. Does the source MAC 
change when a packet passes through the filter ? And the destination MAC ? What about 
source and destination IP-addresses ? 


6. Remember the third network card on the router ? Connect this card to a LAN with internet 
connection. On many LAN's the command dhclient eth0 just works (replace eth0 with the 
correct interface). 


root@router~# dhclient eth0 


You now have a setup similar to this picture. What needs to be done to give internet access 
to leftnet and rightnet. 


router 
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7.15. solution: packet forwarding 


=P Network 


Adapter 1: Intel PRO/1000 MT Desktop (Bridged Adapter, en1: AirPort) 
Adapter 2: Intel PRO/1000 MT Desktop (Internal Network, 'leftnet') 
Adapter 3: Intel PRO/1000 MT Desktop (Internal Network, 'rightnet') 


1. Set up two Linux machines, one on leftnet, the other on rightnet. Make sure they both 
get an ip-address in the correct subnet. These two machines will be ‘left’ and 'right' from 
the 'router'. 


leftnet rightnet 


router 


" d % 10.0.70.9 
10.0.60.1 


The ip configuration on your computers should be similar to the following two screenshots. 
Both machines must be in a different subnet (here 192.168.60.0/24 and 192.168.70.0/24). 1 
created a little script on both machines to configure the interfaces. 


root@left~# cat leftnet.sh 
pkill dhclient 
ifconfig ethO 192.168.60.8 netmask 255.255.255.0 


root@right~# cat rightnet.sh 
pkill dhclient 
afconfageth0 1925169770529 netmask 255255725570 


2. Set up a third Linux computer with three network cards, one on leftnet, the other on 
rightnet. This computer will be the 'router'. Complete the table below with the relevant 
names, ip-addresses and mac-addresses. 

root@router~# cat router.sh 

ifconfig ethl 192.168.60.1 netmask 255.255.255.0 


ifconfig eth2 192.168.70.1 netmask 255.255.255.0 
#echo 1 > /proc/sys/net/ipv4/ip forward 


Your setup may use different ip and mac addresses than the ones in the table below. 


Table 7.2. Packet Forwarding Solution 


leftnet computer the router rightnet computer 
08:00:27:f6:ab:b9 08:00:27:43:1f:5a 08:00:27:be:4a:6b 08:00:27:14:8b:17 
192.168.60.8 192.168.60.1 192.168.70.1 192.168.70.9 
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3. How can you verify whether the router will allow packet forwarding by default or not ? 
Test that you can ping from the router to the two other machines, and from those two 
machines to the router. Use arp -a to make sure you are connected with the correct mac 
addresses. 


This can be done with "grep ip. forward /etc/sysctl.conf" (1 is enabled, 0 is disabled) or 
with sysctl -a | grep ip. for. 


root@router~# grep ip for /etc/sysctl.conf 
net.ipv4.ip forward - 0 


4. Ping from the leftnet computer to the rightnet computer. Enable and/or disable packet 
forwarding on the router and verify what happens to the ping between the two networks. If 
you do not succeed in pinging between the two networks (on different subnets), then use a 
sniffer like wireshark or tcpdump to discover the problem. 


Did you forget to add a default gateway to the LAN machines ? Use route add default 
gw 'ip-address'. 

root@left~# route add default gw 192.168.60.1 

root@right~# route add default gw 192.168.70.1 

You should be able to ping when packet forwarding is enabled (and both default gateways 


are properly configured). The ping will not work when packet forwarding is disabled or 
when gateways are not configured correctly. 


5. Use wireshark or tcpdump -xx to answer the following questions. Does the source MAC 
change when a packet passes through the filter ? And the destination MAC ? What about 
source and destination IP-addresses ? 

Both MAC addresses are changed when passing the router. Use tcpdump -xx like this: 
root@router~# tcpdump -xx -i ethl 


root@router~# tcpdump -xx -i eth2 
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6. Remember the third network card on the router ? Connect this card to a LAN with internet 
connection. On many LAN's the command dhclient eth0 just works (replace eth0 with the 
correct interface. 


root@router~# dhclient eth0 


You now have a setup similar to this picture. What needs to be done to give internet access 
to leftnet and rightnet. 


The clients on leftnet and rightnet need a working dns server. We use one of Google's 
dns servers here. 


echo nameserver 8.8.8.8 > /etc/resolv.conf 
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This chapter introduces some simple firewall rules and how to configure them with iptables. 


iptables is an application that allows a user to configure the firewall functionality built into 
the Linux kernel. 
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8.1. iptables tables 


By default there are three tables in the kernel that contain sets of rules. 


The filter table is used for packet filtering. 
root@debian6~# iptables -t filter -L 
Chain INPUT (policy ACCEPT) 


target prot opt source destination 


Chain FORWARD (policy ACCEPT) 
target prot opt source destination 


Chain OUTPUT (policy ACCEPT) 
target prot opt source destination 


The nat table is used for address translation. 
root@debian6~# iptables -t nat -L 
Chain PREROUTING (policy ACCEPT) 


target prot opt source destination 


Chain POSTROUTING (policy ACCEPT) 
target prot opt source destination 


Chain OUTPUT (policy ACCEPT) 
target prot opt source destination 


The mangle table can be used for special-purpose processing of packets. 


Series of rules in each table are called a chain. We will discuss chains and the nat table 
later in this chapter. 


8.2. starting and stopping iptables 


The following screenshot shows how to stop and start iptables on Red Hat/Fedora/CentOS 
and compatible distributions. 


[root@centos6 ~]# service iptables stop 

[root@centos6 ~]# service iptables start 

iptables: Applying firewall rules [ ok ] 
[root@centos6 ~]# 


Debian and *buntu distributions do not have this script, but allow for an uninstall. 


root@debian6~# aptitude purge iptables 
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8.3. the filter table 
8.3.1. about packet filtering 


Packet filtering is a bit more than packet forwarding. While packet forwarding uses only 
a routing table to make decisions, packet filtering also uses a list of rules. The kernel will 
inspect packets and decide based on these rules what to do with each packet. 


8.3.2. filter table 


The filter table in iptables has three chains (sets of rules). The INPUT chain is used for any 
packet coming into the system. The OUTPUT chain is for any packet leaving the system. 
And the FORWARD chain is for packets that are forwarded (routed) through the system. 


kernel 


C» mm 
ļ 


Omar — un eds => | mw 


The screenshot below shows how to list the filter table and all its rules. 


[root@RHEL5 ~]# iptables -t filter -nL 
Chain INPUT (policy ACCEPT) 
target prot opt source destination 


Chain FORWARD (policy ACCEPT) 
target prot opt source destination 


Chain OUTPUT (policy ACCEPT) 


target prot opt source destination 
[root@RHEL5 ~]# 


As you can see, all three chains in the filter table are set to ACCEPT everything. ACCEPT 
is the default behaviour. 
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8.3.3. setting default rules 


The default for the default rule is indeed to ACCEPT everything. This is not the most secure 
firewall. 


A more secure setup would be to DROP everything. A package that is dropped will not 
continue in any chain, and no warning or error will be sent anywhere. 


The below commands lock down a computer. Do not execute these commands inside a 
remote ssh shell. 


root@debianpaul~# iptables -P INPUT DROP 
root@debianpaul~# iptables -P OUTPUT DROP 
root@debianpaul~# iptables -P FORWARD DROP 
root@debianpaul~# iptables -L 

Chain INPUT (policy DROP) 

target prot opt source destination 


Chain FORWARD (policy DROP) 
target prot opt source destination 


Chain OUTRUN (policy DROP) 
target prot opt source destination 


8.3.4. changing policy rules 


To start, let's set the default policy for all three chains to drop everything. Note that you 
might lose your connection when typing this over ssh ;-). 


[root@RHEL5 ~]# iptables -P INPUT DROP 
[root@RHEL5 ~]# iptables -P FORWARD DROP 
[root@RHEL5 ~]# iptables -P OUTPUT DROP 


Next, we allow the server to use its own loopback device (this allows the server to access 
its services running on localhost). We first append a rule to the INPUT chain to allow 
(ACCEPT) traffic from the lo (loopback) interface, then we do the same to allow packets to 
leave the system through the loopback interface. 


[root@RHEL5 ~]# iptables -A INPUT -i lo -j ACCEPT 
[root@RHEL5 ~]# iptables -A OUTPUT -o lo -j ACCEPT 


Looking at the filter table again (omitting -t filter because it is the default table). 


[root@RHEL5 ~]# iptables -nL 

Chain INPUT (policy DROP’) 

target prot opt source destination 
ACCEPT E OO 00 0 ORO 00710 


Chain FORWARD (policy DROP) 
target prot opt source destination 


Chain OUTPUT (policy DROP) 


target prot opt source destination 
ACCEPT aul ==. @,0 60. 0/0 00010710 
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8.3.5. Allowing ssh over ethO 


This example show how to add two rules to allow ssh access to your system from outside. 


[root@RHEL5 ~]# iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT 
[root@RHEL5 ~]# iptables -A OUTPUT -o eth0 -p tcp Sport 22 =) ACCEPT 


The filter table will look something like this screenshot (note that -v is added for more 
verbose output). 


[root@RHEL5 ~]# iptables -nvL 
Chain INPUT (policy DROP 7 packets, 609 bytes) 
pkts bytes target prot opt in out source destination 
0 Q) NCEE cubi == ile ES ORO OF OCR OO (0 01/20 
0 0 ACCEPT tep => eth * 0-0.0. 0/0 OO 0/0 tep dpt: 22 
Chain FORWARD (policy DROP 0 packets, 0 bytes) 
pkts bytes target prot opt in out source destination 
Chain OUTPUT (policy DROP 3 packets, 228 bytes) 
pkts bytes target prot opt in out source destination 
0 O ACC edlal. ES To ORO AO 0/0000 5101/0 
0 0 ACCEPT tep == = etno 0.0.0. 020.00 00 07/0. tep spt: 22 


[root@RHEL5 ~]# 
8.3.6. Allowing access from a subnet 


This example shows how to allow access from any computer in the 10.1.1.0/24 network, but 
only through eth1. There is no port (application) limitation here. 


[root@RHEL5 ~]# iptables -A INPUT -i ethl -s 10.1.1.0/24 -p tcp -j ACCEPT 
[root@RHEL5 ~]# iptables -A OUTPUT o ethl -d 10.1.1.0/24 -p tcp J ACCEPT 


Together with the previous examples, the policy is expanding. 


[root@RHEL5 ~]# iptables -nvL 

Chain INPUT (policy DROP 7 packets, 609 bytes) 

pkts bytes target prot opt in out source destination 
0 O ACCEPT all ==) To ES OOO 0710 00 00710 
0 © ACCEPT top ==  “etho ORONO RO A0 OR Ororo ECP (6 19 22 
0 0 ACCEPT ESO = ethl = OO ZA O OOOO 

Chain FORWARD (policy DROP 0 packets, 0 bytes) 

pkts bytes target prot opt in out source destination 

Chain OUTPUT (policy DROP 3 packets, 228 bytes) 

pkts bytes target prot opt in out source destination 
0 ORENGGHEIMESSEM ES To ORONO 0/0 QOO 
0 O ACCEPT tep = = eth0 0.0.0.0/0 0070.1070 “Ecp SpE: 22 
0 | ANCIGINEM Bas == m echi Por QA 104 1.10/24 
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8.3.7. iptables save 


Use iptables save to automatically implement these rules when the firewall is (re)started. 


[root@RHEL5 -]4 /etc/init.d/iptables save 
Saving firewall rules to /etc/sysconfig/iptables: | OK | 
[root@RHEL5 ~]# 


8.3.8. scripting example 


You can write a simple script for these rules. Below is an example script that implements 
the firewall rules that you saw before in this chapter. 


#!/bin/bash 

# first cleanup everything 
iptables -t filter -F 
iptables -t filter -X 
iptables -t nat -F 
iptables -t nat -X 


# default drop 

iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT DROP 


# allow loopback device 
iptables =A ITNEUT -1 Lo =J] ACCEPT 
iptables -A OUTPUT —o lo -J ACCEPT 


# allow ssh over eth0 from outside to system 
iptables -A INPUL =i eth -p tep =-dport 22 -J ACCEPT 
iptables -A OUTPUT -o eth0 -p tcp Soom NUNG BEP 


# allow any traffic from 10.1.1.0/24 to system 
iptables A INPUT -i ethl -s 10.1.1.0/24 -p tcp -j ACCEPT 
iptables A OUIPUL “o ‘ethiy diode 0/224 p tep JN ACCEPT 
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8.3.9. Allowing ICMP(ping) 


When you enable iptables, you will get an 'Operation not permitted' message when trying 
to ping other hosts. 


[rootGRHEL5 ++ ping 192.168.187.130 

PING 192.168.187. 130 (192.168.187. 130) 56 (84) bytes of data. 
ping: sendmsg: Operation not permitted 

ping: sendmsg: Operation not permitted 


The screenshot below shows you how to setup iptables to allow a ping from or to your 
machine. 


[rootGRHEL5 ~]# iptables -A INPUT -p icmp icmp-type any -j ACCEPT 
[root@RHEL5 ~]# iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT 


The previous two lines do not allow other computers to route ping messages through your 
router, because it only handles INPUT and OUTPUT. For routing of ping, you will need 
to enable it on the FORWARD chain. The following command enables routing of icmp 
messages between networks. 


[root@RHEL5 ~]# iptables -A FORWARD -p icmp icmp-type any -j ACCEPT 
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8.4. practice: packet filtering 


1. Make sure you can ssh to your router-system when iptables is active. 
2. Make sure you can ping to your router-system when iptables is active. 


3. Define one of your networks as 'internal' and the other as 'external'. Configure the router 
to allow visits to a website (http) to go from the internal network to the external network 
(but not in the other direction). 


4. Make sure the internal network can ssh to the external, but not the other way around. 
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8.5. solution: packet filtering 


A possible solution, where leftnet is the internal and rightnet is the external network. 
#!/bin/bash 


# first cleanup everything 
iptables -t filter -F 
iptables -t filter -X 
iptables -t nat -F 
iptables -t nat -X 


# default drop 

iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT DROP 


# allow loopback device 
iptables -A INPUT -i lo -j ACCEPT 
iptables -A OUTPUT -o lo -j ACCEPT 


# question 1: allow ssh over eth0 
iptables =A INEUT ~i eth0 -p tep -dport 22 =J ACCEPI 
iptables -A OUTPUT -o eth0 -p tcp Sponte E ACC. pe 


# question 2: Allow icmp(ping) anywhere 

iptables -A INPUT -p icmp icmp-type any -j ACCEPT 
iptables -A FORWARD -p icmp icmp-type any -j ACCEPT 
iptables -A OUTPUT -p icmp --icmp-type any -j ACCEPT 


# question 3: allow http from internal(leftnet) to external (rightnet) 
iptables -A FORWARD -i ethl -o eth2 -p tcp --dport 80 -j ACCEPT 
iptables -A FORWARD =i eth2 -o ethl -p tcp --sport 80 -j ACCEPT 


# question 4: allow ssh from internal(leftnet) to external (rightnet) 
iptables -A FORWARD -i ethl -o eth2 -p tcp --dport 22 -j ACCEPT 
iptables -A FORWARD -i eth2 -o ethl -p tcp --sport 22 -j ACCEPT 


# allow http from external(rightnet) to internal(leftnet) 
# iptables -A FORWARD -i eth2 -o ethl -p tcp --dport 80 -j ACCEPT 
4 iptables -A FORWARD -i ethl -o eth2 -p tcp --sport 80 -j ACCEPT 


# allow rpcinfo over eth0 from outside to system 
iptables A TONWIEIUHE ib CES. PRE Aporte ibilil ISA. 
# iptables -A OUTPUT -o eth2 -p tcp sport Jd ACCEET 


+ 
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8.6. network address translation 
8.6.1. about NAT 


A NAT device is a router that is also changing the source and/or target ip-address in packets. 
Itis typically used to connect multiple computers in a private address range with the (public) 
internet. A NAT can hide private addresses from the internet. 


NAT was developed to mitigate the use of real ip addresses, to allow private address ranges 
to reach the internet and back, and to not disclose details about internal networks to the 
outside. 


The nat table in iptables adds two new chains. PREROUTING allows altering of packets 
before they reach the INPUT chain. POSTROUTING allows altering packets after they exit 
the OUTPUT chain. 


= <> 
Į 


EED € = 


Use iptables -t nat -nvL to look at the NAT table. The screenshot below shows an empty 
NAT table. 


[root@RHEL5 ~]# iptables -t nat -nL 
Chain PREROUTING (policy ACCEPT) 
target prot opt source destination 


Chain POSTROUTING (policy ACCEPT) 
target prot opt source destination 


Chain OUTPUT (policy ACCEPT) 


target prot opt source destination 
[root@RHEL5 ~]# 
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8.6.2. SNAT (Source NAT) 


The goal of source nat is to change the source address inside a packet before it leaves the 
system (e.g. to the internet). The destination will return the packet to the NAT-device. This 
means our NAT-device will need to keep a table in memory of all the packets it changed, so 
it can deliver the packet to the original source (e.g. in the private network). 


Because SNAT is about packets leaving the system, it uses the POSTROUTING chain. 


Here is an example SNAT rule. The rule says that packets coming from 10.1.1.0/24 network 
and exiting via ethl will get the source ip-address set to 11.12.13.14. (Note that this is a 
one line command!) 


iptables -t nat -A POSTROUTING -o ethl -s 10.1.1.0/24 -j SNAT \ 
= to source dln 25-4 


Of course there must exist a proper iptables filter setup to allow the packet to traverse from 
one network to the other. 


8.6.3. SNAT example setup 


This example script uses a typical nat setup. The internal (eth0) network has access via 
SNAT to external (eth1) webservers (port 80). 


#!/bin/bash 

# 

# iptables script for simple classic nat websurfing 

# ethO is internal network, ethl is internet 

# 

echo 0 > /proc/sys/net/ipv4/ip_forward 

iptables -P INPUT ACCEPT 

iptables -P OUTPUT ACCEPT 

iptables -P FORWARD DROP 

iptables -A FORWARD -i eth0 -o ethl -s 10.1.1.0/24 -p tcp \ 
~ dport 80 -J ACCEPT 

iptables -A FORWARD r eth! =o echo a Or dq dq 0/24 Sp ECEN 
= Sport 80 =] ACCEPT 

iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/24 -j SNAT \ 
to source 11.12.13.14 

echo 1 > /proc/sys/net/ipv4/ip forward 
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8.6.4. IP masquerading 


IP masquerading is very similar to SNAT, but is meant for dynamic interfaces. Typical 
example are broadband 'router/modems' connected to the internet and receiving a different 
ip-address from the isp, each time they are cold-booted. 


The only change needed to convert the SNAT script to a masquerading is one line. 


iptables -t nat -A POSTROUTING -o ethl -s 10.1.1.0/24 -j MASQUERADE 
8.6.5. DNAT (Destination NAT) 


DNAT is typically used to allow packets from the internet to be redirected to an internal 
server (in your DMZ) and in a private address range that is inaccessible directly form the 
internet. 


This example script allows internet users to reach your internal (192.168.1.99) server via 
ssh (port 22). 


#!/bin/bash 

# 

# iptables script for DNAT 

# ethO is internal network, ethl is internet 

# 

echo 0 > /proc/sys/net/ipv4/ip_forward 

iptables -P INPUT ACCEPT 

iptables -P OUTPUT ACCEPT 

iptables -P FORWARD DROP 

iptables -A FORWARD -i eth0 -o ethl -s 10.1.1.0/24 -j ACCEPT 
iptables =A FORWARD -i ethl -o eth0 -p tcp --dport 22 -j ACCEPT 
iptables -t nat -A PREROUTING -i ethl -p tcp --dport 22 \ 

=J] DNAT = to destinatron HOR gg 

echo 1 > /proc/sys/net/ipv4/ip_forward 
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Chapter 9. introduction to samba 


This introduction to the Samba server simply explains how to install Samba 3 and briefly 
mentions the SMB protocol. 
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9.1. verify installed version 


9.1.1. .rpm based distributions 


To see the version of samba installed on Red Hat, Fedora or CentOS use rpm -q samba. 


[root@RHEL52 ~]# rpm -q samba 
samba-3.0.28-1.e15 2.1 


The screenshot above shows that RHELS has Samba version 3.0 installed. The last number 
in the Samba version counts the number of updates or patches. 


Below the same command on a more recent version of CentOS with Samba version 3.5 
installed. 


[root@centos6 ~]# rpm -q samba 
samba-3.5.10-116.e16 2.1686 


9.1.2. .deb based distributions 


Use dpkg -l or aptitide show on Debian or Ubuntu. Both Debian 7.0 (Wheezy) and Ubuntu 
12.04 (Precise) use version 3.6.3 of the Samba server. 


root@debian7~# aptitude show samba | grep Version 
Version: 233. SS 


Ubuntu 12.04 is currently at Samba version 3.6.3. 


root@ubul204:~# dpkg -1 samba | Camia 
ii samba 2:3.6.3-2ubuntu2.1 SMB/CIFS file, print, and login server for Unix 
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9.2. installing samba 


9.2.1. .rpm based distributions 


Samba is installed by default on Red Hat Enterprise Linux. If Samba is not yet installed, 
then you can use the graphical menu (Applications -- System Settings -- Add/Remove 
Applications) and select "Windows File Server" in the Server section. The non-graphical 
way is to use rpm or yum. 


When you downloaded the .rpm file, you can install Samba like this. 


[paul@RHEL52 -]$ rpm -i samba-3.0.28-1.e15 2.1.rpm 


When you have a subscription to RHN (Red Hat Network), then yum is an easy tool to use. 
This yam command works by default on Fedora and CentOS. 


[root@centos6 ~]# yum install samba 


9.2.2. .deb based distributions 


Ubuntu and Debian users can use the aptitude program (or use a graphical tool like 
Synaptic). 


root@debian7~# aptitude install samba 
The following NEW packages will be installed: 

samba samba-common{a} samba-common-binía) tdb-toolsía) 
0 packages upgraded, 4 newly installed, 0 to remove and 1 not upgraded. 
Need to get 15.1 MB of archives. After unpacking 42.9 MB will be used. 
Do you want to continue? [Y/n/?] 
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9.3. documentation 


9.3.1. samba howto 


Samba comes with excellent documentation in html and pdf format (and also as a free 
download from samba.org and it is for sale as a printed book). 


The documentation is a separate package, so install it if you want it on the server itself. 


[root@centos6 ~]# yum install samba-doc 


[root@centos6 ~]# ls -1 


total 10916 


drwxr-xr-x. (6) ao. 
aye =e, il meteo 
A il ooe 
ie, 1L seen 


TOOL 
root 
Poot 
root 


/usr/share/doc/samba-doc-3.5.10/ 


4096 May 
4605496 Jun 
608260 Jun 
5954602 Jun 


6 15:50 
14 2011 
14 2011 
14 2011 


htmldocs 
Samba3-ByExample.pdf 
Samba3-Developers-Guide.pdf 
Samba3-HOWTO.pdf 


This action is very similar on Ubuntu and Debian except that the pdf files are in a separate 
package named samba-doc-pdf. 


root@ubul204:~# aptitude install samba-doc-pdf 


The following NEW packages will be installed: 


samba-doc-pdf 


9.3.2. samba by example 


Besides the howto, there is also an excellent book called Samba By Example (again 
available as printed edition in shops, and as a free pdf and html). 
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9.4. starting and stopping samba 


You can start the daemons by invoking /etc/init.d/smb start (some systems use /etc/init.d/ 
samba) on any linux. 


root@laika:~# /etc/init.d/samba stop 

* Stopping Samba daemons OK ] 
root@laika:~# /etc/init.d/samba start 

* Starting Samba daemons OK ] 
root@laika:~# /etc/init.d/samba restart 

* Stopping Samba daemons OK ] 
* Starting Samba daemons OK ] 
root@laika:~# /etc/init.d/samba status 

* SMBD is running OK ] 


Red Hat derived systems are happy with service smb start. 


[root@RHEL4b ~]# /etc/init.d/smb start 

Starting SMB services: NOK] 
Starting NMB services: [ OK ] 
[root@RHEL4b ~]# service smb restart 


Shutting down SMB services: [ OK ] 
Shutting down NMB services: [ OK ] 
Starting SMB services: SOR] 
Starting NMB services: [ OK ] 


[root@RHEL4b -]# 
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9.5. samba daemons 


Samba 3 consists of three daemons, they are named nmbd, smbd and winbindd. 
9.5.1. nmbd 


The nmbd daemon takes care of all the names and naming. It registers and resolves names, 
and handles browsing. According to the Samba documentation, it should be the first daemon 
to start. 


[root@RHEL52 -]# ps -C nmbd 


PTD CREY TIME CMD 
5681 ? 00:00:00 nmbd 


9.5.2. smbd 


The smbd daemon manages file transfers and authentication. 


[root@RHEL52 -]# ps -C smbd 


PD TIY TIME CMD 
5678 ? 00:00:00 smbd 
5683 ? 00:00:00 smbd 


9.5.3. winbindd 


The winbind daemon (winbindd) is only started to handle Microsoft Windows domain 
membership. 


Note that winbindd is started by the /etc/init.d/winbind script (two dd's for the daemon and 
only one d for the script). 


[root@RHEL52 ~]# /etc/init.d/winbind start 


Starting Winbind services: [ OK ] 
[root@RHEL52 -]# ps -C winbindd 
PED TIES TIME CMD 
is. E 00:00:00 winbindd 
5754 ? 00:00:00 winbindd 


On Debian and Ubuntu, the winbindd daemon is installed via a separate package called 
winbind. 
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9.6. the SMB protocol 
9.6.1. brief history 


Development of this protocol was started by IBM in the early eighties. By the end of the 
eighties, most develpment was done by Microsoft. SMB is an application level protocol 
designed to run on top of NetBIOS/NetBEUI, but can also be run on top of tcp/ip. 


In 1996 Microsoft was asked to document the protocol. They submitted CIFS (Common 
Internet File System) as an internet draft, but it never got final rfc status. 


In 2004 the European Union decided Microsoft should document the protocol to enable 
other developers to write compatible software. December 20th 2007 Microsoft came to an 
agreement. The Samba team now has access to SMB/CIFS, Windows for Workgroups and 
Active Directory documentation. 


9.6.2. broadcasting protocol 


SMB uses the NetBIOS service location protocol, which is a broadcasting protocol. This 
means that NetBIOS names have to be unique on the network (even when you have 
different IP-addresses). Having duplicate names on an SMB network can seriously harm 
communications. 


9.6.3. NetBIOS names 


NetBIOS names are similar to hostnames, but are always uppercase and only 15 characters 
in length. Microsoft Windows computers and Samba servers will broadcast this name on 
the network. 


9.6.4. network bandwidth 


Having many broadcasting SMB/CIFS computers on your network can cause bandwidth 
issues. A solution can be the use of a NetBIOS name server (NBNS) like WINS (Windows 
Internet Naming Service). 
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9.7. practice: introduction to samba 


0. !! Make sure you know your student number, anything *ANYTHING* you name must 
include your student number! 


1. Verify that you can logon to a Linux/Unix computer. Write down the name and ip address 
of this computer. 


2. Do the same for all the other (virtual) machines available to you. 


3. Verify networking by pinging the computer, edit the appropriate hosts files so you can 
use names. Test the names by pinging them. 


4. Make sure Samba is installed, write down the version of Samba. 


5. Open the Official Samba-3 howto pdf file that is installed on your computer. How many 
A4 pages is this file ? Then look at the same pdf on samba.org, it is updated regularly. 


6. Stop the Samba server. 
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10.1. /etc/samba/smb.conf 
10.1.1. smbd -b 


Samba configuration is done in the smb.conf file. The file can be edited manually, or you 
can use a web based interface like webmin or swat to manage it. The file is usually located 
in /etc/samba. You can find the exact location with smbd -b. 


[root@RHEL4b ~]# smbd -b | grep CONFIGFILE 
CONFIGFILE: /etc/samba/smb.conf 


10.1.2. the default smb.conf 


The default smb.conf file contains a lot of examples with explanations. 


[paul@RHEL4b ~]$ ls -1 /etc/samba/smb.conf 
-rw-r--r-- 1 root root 10836 May 30 23:08 /etc/samba/smb.conf 


Also on Ubuntu and Debian, smb.conf is packed with samples and explanations. 


paul@laika:-$ ls -l /etc/samba/smb.conf 
SENS te. root root 055 2007-05-24 00.21 461 c//s2mlavSmbsceotf 


10.1.3. minimal smb.conf 


Below is an example of a very minimalistic smb.conf. It allows samba to start, and to be 
visible to other computers (Microsoft shows computers in Network Neighborhood or My 
Network Places). 


[paul@RHEL4b ~]$ cat /etc/samba/smb.conf 
[global] 

workgroup = WORKGROUP 

[firstshare] 

path = /srv/samba/public 


10.1.4. net view 


Below is a screenshot of the net view command on Microsoft Windows Server 2003 sp2. 
It shows how a Red Hat Enterprise Linux 5.3 and a Ubuntu 9.04 Samba server, both with a 
minimalistic smb.conf, are visible to Microsoft computers nearby. 


C:\Documents and Settings\Administrator>net view 


Server Name Remark 

\\LAIKA Samba 3.3.2 

\\RHEL53 Samba 50-35-87 els 
\\W2003 


The command completed successfully. 


10.1.5. long lines in smb.conf 


Some parameters in smb.conf can get a long list of values behind them. You can continue a 
line (for clarity) on the next by ending the line with a backslash. 


valid users = Serena, Venus, Lindsay \ 
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Kim, Justine, Sabine \ 
Amelie, Marie, Suzanne 


10.1.6. curious smb.conf 


Curious but true: smb.conf accepts synonyms like create mode and create mask, and 
(sometimes) minor spelling errors like browsable and browseable. And on occasion you 
can even switch words, the guest only parameter is identical to only guest. And writable 
= yes is the same as readonly = no. 


10.1.7. man smb.conf 


You can access a lot of documentation when typing man smb.conf. 


[root@RHEL4b samba]# apropos samba 


cupsaddsmb (8) - export printers to samba for windows clients 

lmhosts (5) — The Samba NetBIOS hosts file 

net (8) - Tool for administration of Samba and remote CIFS servers 
pdbedit (8) - manage the SAM database (Database of Samba Users) 

samba (7) - A Windows SMB/CIFS fileserver for UNIX 

smb.conf [smb] (5) - The configuration file for the Samba suite 

smbpasswd (5) - The Samba encrypted password file 

smbstatus (1) — report on current Samba connections 

swat (8) — Samba Web Administration Tool 

tdbbackup (8) = tool for backing up and ... Of samba ~tdb filles 


[root@RHEL4b samba] # 


10.2. /usr/bin/testparm 


10.2.1. syntax check smb.conf 


To verify the syntax of the smb.conf file, you can use testparm. 


[paul@RHEL4b -]$ testparm 

Load smb config files from /etc/samba/smb.conf 
Processing section "[firstshare]" 

Loaded services file OK. 

Server role: ROLE_STANDALONE 

Press enter to see a dump of your service definitions 


10.2.2. testparm -v 


An interesting option is testparm -v, which will output all the global options with their 
default value. 


[root@RHEL52 -]# testparm -v | head 

Load smb config files from /etc/samba/smb.conf 
Processing section "[pub0]" 

Processing section "[global$]" 

Loaded services file OK. 

Server role: ROLE STANDALONE 

Press enter to see a dump of your service definitions 


[global] 
dos charset - CP850 
unix charset - UTF-8 


display charset = LOCALE 
workgroup = WORKGROUP 
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realm = 

netbios name = TEACHERO 

netbios aliases = 

netbios scope = 

server string = Samba 3.0.28-1.e15_2.1 


There were about 350 default values for smb.conf parameters in Samba 3.0.x. This number 
grew to almost 400 in Samba 3.5.x. 


10.2.3. testparm -s 


The samba daemons are constantly (once every 60 seconds) checking the smb.conf file, so it 
is good practice to keep this file small. But it is also good practice to document your samba 
configuration, and to explicitly set options that have the same default values. The testparm 
-S option allows you to do both. It will output the smallest possible samba configuration file, 
while retaining all your settings. The idea is to have your samba configuration in another 
file (like smb.conf.full) and let testparm parse this for you. The screenshot below shows you 
how. First the smb.conf full file with the explicitly set option workgroup to WORKGROUP. 


[root@RHEL4b samba]# cat smb.conf.full 
[global] 
workgroup = WORKGROUP 


# This is a demo of a documented smb.conf 
# These two lines are removed by testparm -s 


server string = Public Test Server 


[firstshare] 
path = /srv/samba/public 


Next, we execute testparm with the -s option, and redirect stdout to the real smb.conf file. 


[root@RHEL4b samba]# testparm -s smb.conf.full > smb.conf 
Load smb config files from smb.conf.full 

Processing section "[firstshare]" 

Loaded services file OK. 


And below is the end result. The two comment lines and the default option are no longer 
there. 


root@RHEL4b samba]# cat smb.conf 
# Global parameters 

global] 

server string = Public Test Server 


firstshare] 


path = /srv/samba/public 
root@RHEL4b samba] # 


10.3. /usr/bin/smbclient 


10.3.1. smbclient looking at Samba 


With smbclient you can see browsing and share information from your smb server. It will 
display all your shares, your workgroup, and the name of the Master Browser. The -N switch 
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is added to avoid having to enter an empty password. The -L switch is followed by the name 
of the host to check. 


[root@RHEL4b init.d]# smbclient -NL rhel4b 
Anonymous login successful 


Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.10-1.4E.9] 
Sharename Type Comment 

firstshare Disk 

IBPOS IPC IPC Service (Public Test Server) 
ADMINS IPC IPC Service (Public Test Server) 


Anonymous login successful 


Domain=[WORKGROUP] OS=[Unix] Server-[Samba 3.0.10-1.4E.9] 
Server Comment 

mE UNITE Server 

WINXP 

Workgroup Master 

WORKGROUP WINXP 


10.3.2. smbclient anonymous 


The screenshot below uses smbclient to display information about a remote smb server (in 
this case a computer with Ubuntu 11.10). 


rootQ@ubu1110:/etc/samba# testparm smbclient -NL 127.0.0.1 
Anonymous login successful 


Domain-[LINUXTR] OS=[Unix] Server=[Samba 3.5.11] 
Sharename Type Comment 
sharel Disk 
PACS IPC IPC Service (Samba 3.5.11) 


Anonymous login successful 


Domain-[LINUXTR] OS-[Unix] Server-[Samba 3.5.11] 
Server Comment 

Workgroup Master 

LINUXTR DEBIAN6 

WORKGROUP UBU1110 


10.3.3. smbclient with credentials 


Windows versions after xp sp2 and 2003 spl do not accept guest access (the 
NT STATUS ACCESS DENIED error). This example shows how to provide credentials 
with smbclient. 


[paul@RHEL53 -]$ smbclient 
Domain-[W2003] OS=[Windows 


Sharename Type 


-L w2003 -U administrator$stargate 
Server 2003 3790 Service Pack 2] Server-... 


Comment 


Disk 


Default share 
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EPCS IPC Remote IPC 
ADMINS Disk Remote Admin 


10.4. /usr/bin/smbtree 


Another useful tool to troubleshoot Samba or simply to browse the SMB network is smbtree. 
In its simplest form, smbtree will do an anonymous browsing on the local subnet. displaying 
all SMB computers and (if authorized) their shares. 


Let's take a look at two screenshots of smbtree in action (with blank password). The first 
one is taken immediately after booting four different computers (one MS Windows 2000, 
one MS Windows xp, one MS Windows 2003 and one RHEL 4 with Samba 3.0.10). 


[paul@RHEL4b ~]$ smbtree 
Password: 
WORKGROUP 
PEGASUS 
\\WINXP 
\\RHEL4B Pegasus Domain Member Server 
Error connecting to 127.0.0.1 (Connection refused) 
cli_full_connection: failed to connect to RHEL4B<20> (127.0.0.1) 
\\HM2003 
[paul@RHEL4b -]$ 


The information displayed in the previous screenshot looks incomplete. The browsing 
elections are still ongoing, the browse list is not yet distributed to all clients by the (to be 
elected) browser master. The next screenshot was taken about one minute later. And it shows 
even less. 


[paul@RHEL4b -]$ smbtree 
Password: 
WORKGROUP 
NNW2000 
[paul@RHEL4b -]$ 


So we wait a while, and then run smbtree again, this time it looks a lot nicer. 


[paul@RHEL4b ~]$ smbtree 
Password: 
WORKGROUP 
\\W2000 
PEGASUS 
\\WINXP 
\\RHEL4B Pegasus Domain Member Server 
\\RHEL4B\ADMINS IPC Service (Pegasus Domain Member Server) 
\\RHELAB\IPCS IPC Service (Pegasus Domain Member Server) 
\\RHEL4B\domaindata Active Directory users only 
\\HM2003 
[paul@RHEL4b -]$ smbtree --version 
Versions 3.0. OE d AE 
[paul@RHEL4b -]$ 


I added the version number of smbtree in the previous screenshot, to show you the difference 
when using the latest version of smbtree (below a screenshot taken from Ubuntu Feisty 
Fawn). The latest version shows a more complete overview of machines and shares. 


paul@laika:~$ smbtree --version 
Version 3.0.24 
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paul@laika:-$ smbtree 


Password: 
WORKGROUP 
\\W2000 
\\W2000\firstshare 
NNW2000NCS Default share 
NNW2000NADMINS Remote Admin 
\\W2000\IPCS Remote IPC 
PEGASUS 
\\WINXP 
cli rpe pipe open: cli nt create failed on pipe \srvsve to machine WINXP. 
Error was NT STATUS ACCESS DENIED 
\\RHEL4B Pegasus Domain Member Server 
\\RHEL4B\ADMINS IPC Service (Pegasus Domain Member Server) 
\\RHELAB\IPCS IPC Service (Pegasus Domain Member Server) 
\\RHEL4B\domaindata Active Directory users only 
\\HM2003 
cli_rpc_pipe_open: cli nt create failed on pipe \srvsve to machine HM2003. 


Error was NT_STATUS_ACCESS_DENIED 
paul8laika:-$ 


The previous screenshot also provides useful errors on why we cannot see shared info on 
computers winxp and w2003. Let us try the old smbtree version on our RHEL server, but 
this time with Administrator credentials (which are the same on all computers). 


[paul@RHEL4b ~]$ smbtree -UAdministrator$Stargatel 


WORKGROUP 
\\W2000 
PEGASUS 
\\WINXP 
\\WINXP\CS Default share 
\\WINXP \ADMINS Remote Admin 
\\WINXP\share55 
NNWINXPNIPCS Remote IPC 
\\RHEL4B Pegasus Domain Member Server 
\\RHEL4B\ADMINS IPC Service (Pegasus Domain Member Server) 
\\RHELAB\IPCS IPC Service (Pegasus Domain Member Server) 
\\RHEL4B\domaindata Active Directory users only 
\\HM2003 
\\HM2003\NETLOGON Logon server share 
\\HM2003\SYSVOL Logon server share 
\\HM2003\WSUSTemp A network share used by Local Publishing 
\\HM2003\ADMINS Remote Admin 
\\HM2003\tools 
\\HM2003\IPC$ Remote IPC 
\\HM2003\WsusContent A network share to be used by Local 
\\HM2003\C$ Default share 
[paul@RHEL4b -]$ 


As you can see, this gives a very nice overview of all SMB computers and their shares. 


10.5. server string 


The comment seen by the net view and the smbclient commands is the default value for 
the server string option. Simply adding this value to the global section in smb.conf and 
restarting samba will change the option. 


[root@RHEL53 samba]# testparm -s 2>/dev/null | grep server 
server string = Red Hat Server in Paris 


After a short while, the changed option is visible on the Microsoft computers. 
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C:\Documents and Settings MAdministrator»net view 


Server Name Remark 

\\LAIKA Ubuntu 9.04 server in Antwerp 
\\RHEL53 Red Hat Server in Paris 
\\W2003 


10.6. Samba Web Administration Tool 
(SWAT) 


Samba comes with a web based tool to manage your samba configuration file. SWAT is 
accessible with a web browser on port 901 of the host system. To enable the tool, first find 
out whether your system is using the inetd or the xinetd superdaemon. 


[root@RHEL4b samba]# ps fax | grep inet 

15026 pts/0 S+ 0:00 \_ grep inet 

LEID Ss 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid 
[root@RHEL4b samba] # 


Then edit the inetd.conf or change the disable = yes line in /etc/xinetd.d/swat to disable 
= no. 


[root@RHEL4b samba]# cat /etc/xinetd.d/swat 

# default: off 

# description: SWAT is the Samba Web Admin Tool. Use swat \ 

# to configure your Samba server. To use SWAT, \ 

# connect to port 901 with your favorite web browser. 
service swat 


{ 


port = 901 

Socket type = stream 

wait = no 

only from = 127.001 

user = root 

server = /usr/sbin/swat 
log_on_failure += USERID 
disable = no 


} 
[root@RHEL4b samba]# /etc/init.d/xinetd restart 


Stopping xinetd: [ee 1 
Starting xinetd: NOR 
[root@RHEL4b samba] # 


Change the only from value to enable swat from remote computers. This examples shows 
how to provide swat access to all computers in a /24 subnet. 


[root@RHEL53 xinetd.d]# grep only /etc/xinetd.d/swat 
only_from = 192.168.1.0/24 


Be careful when using SWAT, it erases all your manually edited comments in smb.conf. 
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10.7. practice: getting started with samba 


l. 


2. 


3. 


8. 


9. 


Take a backup copy of the original smb.conf, name it smb.conf.orig 
Enable SWAT and take a look at it. 


Stop the Samba server. 


. Create a minimalistic smb.conf.minimal and test it with testparm. 
. Use tesparm -s to create /etc/samba/smb.conf from your smb.conf.minimal . 
. Start Samba with your minimal smb.conf. 


. Verify with smbclient that your Samba server works. 


Verify that another (Microsoft) computer can see your Samba server. 


Browse the network with net view, smbtree and with Windows Explorer. 


10. Change the "Server String" parameter in smb.conf. How long does it take before you see 
the change (net view, smbclient, My Network Places,...) ? 


11. Will restarting Samba after a change to smb.conf speed up the change ? 


12. Which computer is the master browser master in your workgroup ? What is the master 
browser ? 


13. If time permits (or if you are waiting for other students to finish this practice), then install 
a sniffer (wireshark) and watch the browser elections. 
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10.8. solution: getting started with samba 


1. Take a backup copy of the original smb.conf, name it smb.conf.orig 


cd /etc/samba ; cp smb.conf smb.conf.orig 


2. Enable SWAT and take a look at it. 


on Debian/Ubuntu: vi /etc/inetd.conf (remove # before swat) 


on RHEL/Fedora: vi /etc/xinetd.d/swat (set disable to no) 

3. Stop the Samba server. 

/etc/init.d/smb stop (Red Hat) 

/etc/init.d/samba stop (Debian) 

4. Create a minimalistic smb.conf.minimal and test it with testparm. 

cd /etc/samba ; mkdir my smb confs ; cd my smb confs 

vi smb.conf.minimal 

testparm smb.conf.minimal 

5. Use tesparm -s to create /etc/samba/smb.conf from your smb.conf.minimal . 


testparm -s smb.conf.minimal » ../smb.conf 


6. Start Samba with your minimal smb.conf. 
/etc/init.d/smb restart (Red Hat) 


/etc/init.d/samba restart (Debian) 


7. Verify with smbclient that your Samba server works. 


smbclient -NL 127.0.0.1 


8. Verify that another computer can see your Samba server. 


smbclient -NL 'ip-address' (on a Linux) 


9. Browse the network with net view, smbtree and with Windows Explorer. 
on Linux: smbtree 


on Windows: net view (and WindowsKey + e) 


10. Change the "Server String" parameter in smb.conf. How long does it take before you see 
the change (net view, smbclient, My Network Places,...) ? 


vi /etc/samba/smb.conf 


(should take only seconds when restarting samba) 


11. Will restarting Samba after a change to smb.conf speed up the change ? 


yes 
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12. Which computer is the master browser master in your workgroup ? What is the master 
browser ? 


The computer that won the elections. 


This machine will make the list of computers in the network 


13. If time permits (or if you are waiting for other students to finish this practice), then install 
a sniffer (wireshark) and watch the browser elections. 


On ubuntu: sudo aptitude install wireshark 


then: sudo wireshark, select interface 
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11.1. Setting up a directory to share 


Let's start with setting up a very simple read only file server with Samba. Everyone (even 
anonymous guests) will receive read access. 


The first step is to create a directory and put some test files in it. 


root@RHEL52 ~]# mkdir -p /srv/samba/readonly 

root@RHEL52 ~]# cd /srv/samba/readonly/ 

root@RHEL52 readonly]# echo "It is cold today." > winter.txt 
root@RHEL52 readonly]# echo "It is hot today." > summer.txt 
[root@RHEL52 readonly]# ls -1 

total 8 

SEW ee l root root 17 Jan 21 05:49 summer: E 

=rw-r-- r= 1 root root 18 uan 21 05:49 winter.tCxt 
[root@RHEL52 readonly] # 


[ 
[ 
[ 
[ 


11.2. configure the share 


11.2.1. smb.conf [global] section 


In this example the samba server is a member of WORKGROUP (the default workgroup). 
We also set a descriptive server string, this string is visible to users browsing the network 
with net view, windows explorer or smbclient. 


[root@RHEL52 samba]# head -5 smb.conf 
[global] 

workgroup = WORKGROUP 

server string = Public Anonymous File Server 
netbios name = TEACHERO 

security = share 


You might have noticed the line with security = share. This line sets the default security 
mode for our samba server. Setting the security mode to share will allow clients (smbclient, 
any windows, another Samba server, ...) to provide a password for each share. This is one 
way of using the SMB/CIFS protocol. The other way (called user mode) will allow the 
client to provide a username/password combination, before the server knows which share 
the client wants to access. 


11.2.2. smb.conf [share] section 


The share is called pubread and the path is set to our newly created directory. Everyone is 
allowed access (guest ok = yes) and security is set to read only. 


[pubread] 
path - /srv/samba/readonly 
comment = files to read 


read only = yes 
guest ok = yes 


Here is a very similar configuration on Ubuntu 11.10. 
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rootQubulll0:-£ cat /etc/samba/smb.conf 
[global] 

workgroup = LINUXTR 

netbios name = UBU1110 

security = share 

[rosharel] 

path = /srv/samba/readonly 

read only = yes 

guest ok = yes 


It doesn't really matter which Linux distribution you use. Below the same config on Debian 
6, as good as identical. 


root@debian6:~# cat /etc/samba/smb.conf 
[global] 

workgroup = LINUXTR 

netbios name = DEBIAN6 

security = share 

[rosharel] 

path = /srv/samba/readonly 

read only = yes 

guest ok = yes 


11.3. restart the server 


After testing with testparm, restart the samba server (so you don't have to wait). 


[root@RHEL4b readonly]# service smb restart 


Shutting down SMB services: [ OK ] 
Shutting down NMB services: [ OK ] 
Starting SMB services: [ OK ] 
Starting NMB services: Ol || 


11.4. verify the share 


11.4.1. verify with smbclient 


You can now verify the existence of the share with smbclient. Our pubread is listed as the 
fourth share. 


[root@RHEL52 samba]# smbclient -NL 127.0.0.1 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.33-3.7.e15] 


Sharename Type Comment 

TPCS IPC IPC Service (Public Anonymous File Server) 
globalS$ Disk 

pubo Disk 

pubread Disk files to read 


Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.33-3.7.e15] 


Server Comment 

TEACHERO | iunt 900055 «909-615 
W2003EE 

Workgroup Master 

WORKGROUP 1200388 
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11.4.2. verify on windows 


The final test is to go to a Microsoft windows computer and read a file on the Samba server. 
First we use the net use command to mount the pubread share on the driveletter k. 


C:\>net use K: \\teacher0\pubread 
The command completed successfully. 


Then we test looking at the contents of the share, and reading the files. 


(ee eh ki 
Volume in drive K is pubread 
Volume Serial Number is 0C82-11F2 


Directory of K:\ 
21/01/2009 05:49 <DIR> 


21/01/2009 05:49 <DIR> si 
21/01/2009 05:49 17 summer.txt 


21/01/2009 05:49 18 winter.txt 
2 File(s) 35 bytes 


2) DAES) 13.496.242.176 bytes free 


Just to be on the safe side, let us try writing. 


K:\>echo very cold > winter.txt 
Access is denied. 


RENE 


Or you can use windows explorer... 


fi \\Teacher0\pubread 


File Edit View Favorites Tools Help | AN 
Q Back + © + [P | P Search | Folders | (> > X © | m 
Address 2 \\Teacher0\pubread | E Go 


Folders x [Name +  [ Size [Type | Date Modified Attributes 
B Desktop [E] summer.txt 1KB Text Document 21/01/2009 5:49 


F B My Documents E winter Ex 1KB Text Document 21/01/2009 5:49 
= Y My Computer 
Y 314 Floppy (A:) 
S Local Disk (C:) 
2 CD Drive (D:) 
e Control Panel 
E «3 My Network Places 
z @ Entire Network 
+ [5] Microsoft Terminal Services 
= [5] Microsoft Windows Network 
+ E Mshome 
= gh Workgroup 
B d Teacherü 
+ 2 pubü 
2 
© Printers and Faxes 
*|  w2003ee 
+ [5] VMware Shared Folders 
* [5] Web Client Network 
@ Recycle Bin 


aaa 
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11.5. a note on netcat 


The Windows command line screenshot is made in a Linux console, using netcat as a pipe 
to a Windows command shell. 


The way this works, is by enabling netcat to listen on the windows computer to a certain 
port, executing cmd.exe when a connection is received. Netcat is similar to cat, in the way 
that cat does nothing, only netcat does nothing over the network. 


To enable this connection, type the following on the windows computer (after downloading 
netcat for windows). 


ne -I yey 23 =t cmd. ex 


And then connect to this machine with netcat from any Linux computer. You end up with 
a cmd.exe prompt inside your Linux shell. 


paul@laika:~$ nc 192.168.1.38 23 
Microsoft Windows [Version 5.2.3790] 
(C) Copyright i995 20099MmicEoSOft Corp. 


C:\>net use k: /delete 


net use k: /delete 
k: was deleted successfully. 
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11.6. practice: read only file server 


1. Create a directory in a good location (FHS) to share files for everyone to read. 
2. Make sure the directory is owned properly and is world accessible. 

3. Put a textfile in this directory. 

4. Share the directory with Samba. 


5. Verify from your own and from another computer (smbclient, net use, ...) that the share 
is accessible for reading. 


6. Make a backup copy of your smb.conf, name it smb.conf.ReadOnlyFileServer. 
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11.7. solution: read only file server 


1. Create a directory in a good location (FHS) to share files for everyone to read. 
INS SMS Sh NES oo 

mkdir -p /srv/samba/readonly 

mkdir -p /home/samba/readonly 

/home/paul/readonly is wrong!! 

/etc/samba/readonly is wrong!! 


/readonly is wrong!! 


2. Make sure the directory is owned properly and is world accessible. 
chown root:root /srv/samba/readonly 


chmod 755 /srv/samba/readonly 


3. Put a textfile in this directory. 


echo Hello World » hello.txt 


4. Share the directory with Samba. 


You smb.conf.readonly could look like this: 
[global] 

workgroup = WORKGROUP 

server string = Read Only File Server 
netbios name = STUDENTx 

security = share 


[readonlyX] 
path = /srv/samba/readonly 
comment - read only file share 


read only = yes 
guest ok - yes 


test with testparm before going in production! 


5. Verify from your own and from another computer (smbclient, net use, ...) that the share 
is accessible for reading. 


On Linux: smbelient NT 127.0.0.1 
On Windows Explorer: browse to My Network Places 


On Windows cmd.exe: net use L: //studentx/readonly 


6. Make a backup copy of your smb.conf, name it smb.conf.ReadOnlyFileServer. 


cp smb.conf smb.conf.ReadOnlyFileServer 
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12.1. set up a directory to share 


In this second example, we will create a share where everyone can create files and write to 
files. Again, we start by creating a directory 


[root@RHEL52 samba]# mkdir -p /srv/samba/writable 
[root@RHEL52 samba]# chmod 777 /srv/samba/writable/ 


12.2. share section in smb.conf 


There are two parameters to make a share writable. We can use read only or writable. This 
example shows how to use writable to give write access to a share. 


writable - yes 


And this is an example of using the read only parameter to give write access to a share. 


read only = no 


12.3. configure the share 


Then we simply add a share to our file server by editing smb.conf. Below the check with 
testparm. (We could have changed the description of the server...) 


[root@RHEL52 samba]# testparm 

Load smb config files from /etc/samba/smb.conf 
Processing section "[pubwrite]" 

Processing section "[pubread]" 

Loaded services file OK. 

Server role: ROLE_STANDALONE 

Press enter to see a dump of your service definitions 


[global] 

netbios name = TEACHERO 

server string = Public Anonymous File Server 
security = SHARE 


[pubwrite] 

comment = files to write 
path = /srv/samba/writable 
read only = No 

guest ok = Yes 


[pubread] 
comment = files to read 


path = /srv/samba/readonly 
guest ok = Yes 


12.4. test connection with windows 


We can now test the connection on a windows 2003 computer. We use the net use for this. 
C:\>net use L: \\teacher0\pubwrite 


net use L: \\teacher0\pubwrite 
The command completed successfully. 
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12.5. test writing with windows 


We mounted the pubwrite share on the L: drive in windows. Below we test that we can 
write to this share. 


i: N>echo hows > ho.txt 


iMi clt 

Volume in drive L is pubwrite 
Volume Serial Number is 0C82-272A 
Directory of L:\ 


2209/22/00 OGNI <DIR> 


AA AD 2.009) 90/6 sat <DIR> He 
21/01/2009 06:16 6o Ext 
1 File(s) 6 bytes 


2 Dir(s) 13.496.238.080 bytes free 
12.6. How is this possible ? 


Linux (or any Unix) always needs a user account to gain access to a system. The windows 
computer did not provide the samba server with a user account or a password. Instead, 
the Linux owner of the files created through this writable share is the Linux guest account 
(usually named nobody). 


[root@RHEL52 samba]# ls -1 /srv/samba/writable/ 
total 4 
ape qa l nobody nobody 6 Jan 2106:16 Noi. EXE 


So this is not the cleanest solution. We will need to improve this. 


165 


a writable file server 


12.7. practice: writable file server 


1. Create a directory and share it with Samba. 


2. Make sure everyone can read and write files, test writing with smbclient and from a 


Microsoft computer. 


3. Verify the ownership of files created by (various) users. 
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12.8. solution: writable file server 


1. Create a directory and share it with Samba. 
mkdir /srv/samba/writable 


chmod 777 /srv/samba/writable 


the share section in smb.conf can look like this: 


[pubwrite] 

path = /srv/samba/writable 
comment = files to write 
read only = no 

guest ok - yes 


2. Make sure everyone can read and write files, test writing with smbclient and from a 
Microsoft computer. 


to test writing with smbclient: 
echo one » count.txt 

echo two »» count.txt 

echo three >> count.txt 
smbclient //localhost/pubwrite 


Password: 
smb: \> put count.txt 


3. Verify the ownership of files created by (various) users. 


ls -1 /srv/samba/writable 
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13.1. creating a samba user 


We will create a user for our samba file server and make this user the owner of the directory 
and all of its files. This anonymous user gets a clear description, but does not get a login shell. 


[root@RHEL52 samba]# useradd -s /bin/false sambanobody 

[root@RHEL52 samba]# usermod -c "Anonymous Samba Access" sambanobody 
[root@RHEL52 samba]# passwd sambanobody 

Changing password for user sambanobody. 

New UNIX password: 

Retype new UNIX password: 

passwd: all authentication tokens updated successfully. 


13.2. ownership of files 


We can use this user as owner of files and directories, instead of using the root account. This 
approach is clear and more secure. 


[root@RHEL52 samba]# chown -R sambanobody:sambanobody /srv/samba/ 
[root@RHEL52 samba]# ls -al /srv/samba/writable/ 

total 12 

drwxrwxrwx 2 sambanobody sambanobody 4096 Jan 21 06:11 

drwxr-xr-x 6 sambanobody sambanobody 4096 Jan 21 06:11 

-rwxr--r-- 1 sambanobody sambanobody 6 Jam 21 0/6: t6 hon CXE 


13.3. /usr/bin/smbpasswd 


The sambanobody user account that we created in the previous examples is not yet used 
by samba. It just owns the files and directories that we created for our shares. The goal of 
this section is to force ownership of files created through the samba share to belong to our 
sambanobody user. Remember, our server is still accessible to everyone, nobody needs to 
know this user account or password. We just want a clean Linux server. 


To accomplish this, we first have to tell Samba about this user. We can do this by adding 
the account to smbpasswd. 


[root@RHEL52 samba]# smbpasswd -a sambanobody 
New SMB password: 

Retype new SMB password: 

Added user sambanobody. 


13.4. /etc/samba/smbpasswd 


To find out where Samba keeps this information (for now), use smbd -b. The 
PRIVATE_DIR variable will show you where the smbpasswd database is located. 


[root@RHEL52 samba]# smbd -b | grep PRIVATE 
PRIVATE DIR: /etc/samba 

[root@RHEL52 samba]# ls -1 smbpasswd 

a 1 root root 110 Jan 21 06:19 smbpasswd 


You can use a simple cat to see the contents of the smbpasswd database. The sambanobody 
user does have a password (it is secret). 


[root@RHEL52 samba]# cat smbpasswd 
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sambanobody:503:AE9 ... 9DB309C528E540978: [U ]:LCT-4976B05B: 


13.5. passdb backend 


Note that recent versions of Samba have tdbsam as default for the passdb backend 
paramater. 


root@ubul110:~# testparm -v 2»/dev/null| grep 'passdb backend' 


passdb backend = tdbsam 


13.6. forcing this user 


Now that Samba knows about this user, we can adjust our writable share to force the 
ownership of files created through it. For this we use the force user and force group options. 
Now we can be sure that all files in the Samba writable share are owned by the same 
sambanobody user. 


Below is the renewed definition of our share in smb.conf. 


[pubwrite] 

path = /srv/samba/writable 
comment = files to write 
force user = sambanobody 
force group = sambanobody 
read only = no 

guest ok = yes 


When you reconnect to the share and write a file, then this sambanobody user will own the 
newly created file (and nobody needs to know the password). 
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13.7. practice: first samba user account 


]. Create a user account for use with samba. 
2. Add this user to samba's user database. 


3. Create a writable shared directory and use the "force user" and "force group" directives 
to force ownership of files. 


4. Test the working of force user with smbclient, net use and Windows Explorer. 
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13.8. solution: first samba user account 


]. Create a user account for use with samba. 
useradd -s /bin/false smbguest 

usermod -c 'samba guest' 

passwd smbguest 

2. Add this user to samba's user database. 


smbpasswd -a smbguest 


3. Create a writable shared directory and use the "force user" and "force group" directives 
to force ownership of files. 


[userwrite] 
path = /srv/samba/userwrite 
comment = everyone writes files owned by smbguest 


read only = no 
guest ok - yes 
force user = smbguest 
force group = smbguest 


4. Test the working of force user with smbclient, net use and Windows Explorer. 


ls -1 /srv/samba/userwrite (and verify ownership) 
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14.1. creating the users on Linux 


The goal of this example is to set up a file share accessible to a number of different users. 
The users will need to authenticate with their password before access to this share is granted. 
We will first create three randomly named users, each with their own password. First we 
add these users to Linux. 


[root@RHEL52 -]# useradd -c "Serena Williams" serena 
[root@RHEL52 ~]# useradd -c "Justine Henin" justine 
[root@RHEL52 ~]# useradd -c "Martina Hingis" martina 


[root@RHEL52 ~]# passwd serena 

Changing password for user serena. 

New UNIX password: 

Retype new UNIX password: 

passwd: all authentication tokens updated successfully. 
[root@RHEL52 ~]# passwd justine 

Changing password for user justine. 

New UNIX password: 

Retype new UNIX password: 

passwd: all authentication tokens updated successfully. 
[root@RHEL52 ~]# passwd martina 

Changing password for user martina. 

New UNIX password: 

Retype new UNIX password: 

passwd: all authentication tokens updated successfully. 


14.2. creating the users on samba 


Then we add them to the smbpasswd file, with the same password. 


[root@RHEL52 ~]# smbpasswd -a serena 
New SMB password: 

Retype new SMB password: 

Added user serena. 

[root@RHEL52 ~]# smbpasswd -a justine 
New SMB password: 

Retype new SMB password: 

Added user justine. 

[root@RHEL52 ~]# smbpasswd -a martina 
New SMB password: 

Retype new SMB password: 

Added user martina. 


14.3. security = user 


Remember that we set samba's security mode to share with the security = share directive in 
the [global] section ? Since we now require users to always provide a userid and password 
for access to our samba server, we will need to change this. Setting security = user will 
require the client to provide samba with a valid userid and password before giving access 
to a share. 


Our [global] section now looks like this. 
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[global] 

workgroup = WORKGROUP 

netbios name = TEACHERO 

server string = Samba File Server 
security = user 


14.4. configuring the share 


We add the following [share] section to our smb.conf (and we do not forget to create the 
directory /srv/samba/authwrite). 


[authwrite] 

path = /srv/samba/authwrite 
comment - authenticated users only 
read only = no 

guest ok = no 


14.5. testing access with net use 


After restarting samba, we test with different users from within Microsoft computers. The 
screenshots use the net useFirst serena from Windows XP. 


C:\>net use m: \\teacher0\authwrite stargate /user:serena 
The command completed successfully. 
Cees 


M:\>echo greetings from Serena > serena.txt 


The next screenshot is martina on a Windows 2000 computer, she succeeds in writing her 
files, but fails to overwrite the file from serena. 


C:\>net use k: \\teacher0\authwrite stargate /user:martina 
The command completed successfully. 

CAN 

K:\>echo greetings from martina > Martina.txt 


K:\>echo test overwrite > serena.txt 
Access is denied. 


14.6. testing access with smbclient 


You can also test connecting with authentication with smbclient. First we test with a wrong 
password. 


[root@RHEL52 samba]# smbclient //teacher0/authwrite -U martina wrongpass 
session setup failed: NT STATUS LOGON FAILURE 
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Then we test with the correct password, and verify that we can access a file on the share. 


[root@RHEL52 samba]# smbclient //teacher0/authwrite -U martina stargate 
Domain-[TEACHERO] OS-[Unix] Server-[Samba 3.0.33-3.7.e15] 

smb: \> more serena.txt 

getting file \serena.txt of size 14 as /tmp/smbmore.QQfmSN (6.8 kb/s) 
one 

two 

three 

smb: \> q 


14.7. verify ownership 


We now have a simple standalone samba file server with authenticated access. And the files 
in the shares belong to their proper owners. 


[root@RHEL52 samba]# ls -l /srv/samba/authwrite/ 


total 8 

-rwxr--r-- 1 martina martina 0 Jan 21 20:06 martina.txt 
UWXL==KE 1 serena serena 14 Jan 21 20:06 serena.txt 
ENT 1 serena serena 6 Jan 21 20:09 ser.txt 


14.8. common problems 
14.8.1. NT STATUS BAD NETWORK NAME 


You can get NT STATUS BAD NETWORK NAME when you forget to create the 
target directory. 


[root@RHEL52 samba]# rm -rf /srv/samba/authwrite/ 

[root@RHEL52 samba]# smbclient //teacher0/authwrite -U martina stargate 
Domain-[TEACHERO] OS-[Unix] Server=[Samba 3.0.33-3.7.e15] 

tree connect failed: NT STATUS BAD NETWORK NAME 


14.8.2. NT STATUS LOGON FAILURE 


You can get NT STATUS LOGON FAILURE when you type the wrong password or 
when you type an unexisting username. 


[root@RHEL52 samba]# smbclient //teacher0/authwrite -U martina STARGATE 
session setup failed: NT STATUS LOGON FAILURE 


14.8.3. usernames are (not) case sensitive 


Remember that usernames om Linux are case sensitive. 


[root@RHEL52 samba]# su - MARTINA 
Su: user MARTINA does not exist 
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[root@RHEL52 samba]# su - martina 
[martina@RHEL52 -]$ 


But usernames on Microsoft computers are not case sensitive. 


[root@RHEL52 samba]# smbclient //teacher0/authwrite -U martina stargate 
Domain-[TEACHERO] OS-[Unix] Server-[Samba 3.0.33-3.7.e15] 

smb: \> q 

[root@RHEL52 samba]# smbclient //teacher0/authwrite -U MARTINA stargate 
Domain=[TEACHERO] OS=[Unix] Server=[Samba 3.0.33-3.7.e15] 

smb: \> q 
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14.9. practice : samba authentication 


0. Make sure you have properly named backups of your smb.conf of the previous practices. 
1. Create three users (on the Linux and on the samba), remember their passwords! 
2. Set up a shared directory that is only accessible to authenticated users. 


3. Use smbclient and a windows computer to access your share, use more than one user 
account (windows requires a logoff/logon for this). 


4. Verify that files created by these users belong to them. 


5. Try to change or delete a file from another user. 
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14.10. solution: samba authentication 


]. Create three users (on the Linux and on the samba), remember their passwords! 
useradd -c 'SMB userl' userx 


passwd userx 


2. Set up a shared directory that is only accessible to authenticated users. 


The shared section in smb.conf could look like this: 


[authwrite] 

path - /srv/samba/authwrite 
comment - authenticated users only 
read only = no 

guest ok - no 


3. Use smbclient and a windows computer to access your share, use more than one user 
account (windows requires a logoff/logon for this). 


on Linux: smbclient //studentX/authwrite -U userl password 


on windows net use p: \\studentX\authwrite password /user:user2 


4. Verify that files created by these users belong to them. 


ls -1 /srv/samba/authwrite 


5. Try to change or delete a file from another user. 


you should not be able to change or overwrite files from others. 
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15.1. security based on user name 


15.1.1. valid users 


To restrict users per share, you can use the valid users parameter. In the example below, 
only the users listed as valid will be able to access the tennis share. 


[tennis] 
path = /srv/samba/tennis 
comment - authenticated and valid users only 


read only - No 
guest ok = No 
valid users = serena, kim, venus, justine 


15.1.2. invalid users 


If you are paranoia, you can also use invalid users to explicitely deny the listed users access. 
When a user is in both lists, the user has no access! 


[tennis] 

path = /srv/samba/tennis 

read only = No 

guest ok = No 

valid users = kim, serena, venus, justine 
invalid users = venus 


15.1.3. read list 


On a writable share, you can set a list of read only users with the read list parameter. 


[football] 

path = /srv/samba/football 
read only = No 

guest ok = No 

read list = martina, roberto 


15.1.4. write list 


Even on a read only share, you can set a list of users that can write. Use the write list 
parameter. 


[football] 

path = /srv/samba/golf 
read only = Yes 

guest ok = No 

write list = eddy, jan 


15.2. security based on ip-address 


15.2.1. hosts allow 


The hosts allow or allow hosts parameter is one of the key advantages of Samba. It allows 
access control of shares on the ip-address level. To allow only specific hosts to access a 
share, list the hosts, separated by comma's. 
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allow hosts LS Odd, LA ILS: e Lo 240 


Allowing entire subnets is done by ending the range with a dot. 


allow hosts = 192.168.1. 


Subnet masks can be added in the classical way. 


allow hosts = 10.0.0.0/255.0.0.0 


You can also allow an entire subnet with exceptions. 


hosts allow = 10. except 10.0.0.12 


15.2.2. hosts deny 


The hosts deny or deny hosts parameter is the logical counterpart of the previous. The 
syntax is the same as for hosts allow. 


¡SES deny = T92 OS ci Sa, 192. los. a6 


15.3. security through obscurity 
15.3.1. hide unreadable 


Setting hide unreadable to yes will prevent users from seeing files that cannot be read by 
them. 


hide unreadable = yes 
15.3.2. browsable 


Setting the browseable = no directive will hide shares from My Network Places. But it will 
not prevent someone from accessing the share (when the name of the share is known). 


Note that browsable and browseable are both correct syntax. 


[pubread] 
path = /srv/samba/readonly 
comment = files to read 


read only = yes 
guest ok = yes 
browseable = no 


15.4. file system security 
15.4.1. create mask 


You can use create mask and directory mask to set the maximum allowed permissions for 


newly created files and directories. The mask you set is an AND mask (it takes permissions 
away). 


[tennis] 


path = /srv/samba/tennis 
read only = No 
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guest ok = No 
create mask - 640 
directory mask - 750 


15.4.2. force create mode 


Similar to create mask, but different. Where the mask from above was a logical AND, the 
mode you set here is a logical OR (so it adds permissions). You can use the force create 
mode and force directory mode to set the minimal required permissions for newly created 
files and directories. 


[tennis] 

path = /srv/samba/tennis 
read only - No 

guest ok = No 

force create mode = 444 
force directory mode = 550 


15.4.3. security mask 


The security mask and directory security mask work in the same way as create mask 
and directory mask, but apply only when a windows user is changing permissions using 
the windows security dialog box. 


15.4.4. force security mode 


The force security mode and force directory security mode work in the same way as force 
create mode and force directory mode, but apply only when a windows user is changing 
permissions using the windows security dialog box. 


15.4.5. inherit permissions 


With inherit permissions = yes you can force newly created files and directories to inherit 
permissions from their parent directory, overriding the create mask and directory mask 
settings. 


[authwrite] 

path - /srv/samba/authwrite 
comment = authenticated users only 
read only = no 

guest ok = no 

create mask - 600 

directory mask = 555 

inherit permissions - yes 
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15.5. practice: securing shares 


1. Create a writable share called sales, and a readonly share called budget. Test that it works. 
2. Limit access to the sales share to ann, sandra and veronique. 

3. Make sure that roberto cannot access the sales share. 

4. Even though the sales share is writable, ann should only have read access. 

5. Even though the budget share is read only, sandra should also have write access. 


6. Limit one shared directory to the 192.168.1.0/24 subnet, and another share to the two 
computers with ip-addresses 192.168.1.33 and 172.17.18.19. 


7. Make sure the computer with ip 192.168.1.203 cannot access the budget share. 


8. Make sure (on the budget share) that users can see only files and directories to which 
they have access. 


9. Make sure the sales share is not visible when browsing the network. 

10. All files created in the sales share should have 640 permissions or less. 

11. All directories created in the budget share should have 750 permissions or more. 
12. Permissions for files on the sales share should never be set more than 664. 

13. Permissions for files on the budget share should never be set less than 500. 


14. If time permits (or if you are waiting for other students to finish this practice), then 
combine the "read only" and "writable" statements to check which one has priority. 


" " 


15. If time permits then combine "read list", "write list", "hosts allow" and "hosts deny". 
Which of these has priority ? 
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15.6. solution: securing shares 


1. Create a writable share called sales, and a readonly share called budget. Test that it works. 


see previous solutions on how to do this... 


2. Limit access to the sales share to ann, sandra and veronique. 


valid users = ann, sandra, veronique 


3. Make sure that roberto cannot access the sales share. 


invalid users - roberto 


4. Even though the sales share is writable, ann should only have read access. 


read list - ann 


5. Even though the budget share is read only, sandra should also have write access. 


write list = sandra 


6. Limit one shared directory to the 192.168.1.0/24 subnet, and another share to the two 
computers with ip-addresses 192.168.1.33 and 172.17.18.19. 


hosts allow = 192.168.1. 


hosts EU = 192 xdg a MEO, 


7. Make sure the computer with ip 192.168.1.203 cannot access the budget share. 


hosts deny = 192.168.1.203 


8. Make sure (on the budget share) that users can see only files and directories to which 
they have access. 


hide unreadable - yes 

9. Make sure the sales share is not visible when browsing the network. 
browsable - no 

10. All files created in the sales share should have 640 permissions or less. 


create mask - 640 


11. All directories created in the budget share should have 750 permissions or more. 


force directory mode - 750 

12. Permissions for files on the sales share should never be set more than 664. 
security mask - 750 

13. Permissions for files on the budget share should never be set less than 500. 


force security directory mask - 500 


14. If time permits (or if you are waiting for other students to finish this practice), then 
combine the "read only" and "writable" statements to check which one has priority. 
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" " 


15. If time permits then combine "read list", "write list", "hosts allow" and "hosts deny". 
Which of these has priority ? 
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16.1. changes in smb.conf 
16.1.1. workgroup 


The workgroup option in the global section should match the netbios name of the Active 
Directory domain. 


workgroup = STARGATE 


16.1.2. security mode 


Authentication will not be handled by samba now, but by the Active Directory domain 
controllers, so we set the security option to domain. 


security = Domain 


16.1.3. Linux uid's 


Linux requires a user account for every user accessing its file system, we need to provide 
Samba with a range of uid's and gid's that it can use to create these user accounts. The range 
is determined with the idmap uid and the idmap gid parameters. The first Active Directory 
user to connect will receive Linux uid 20000. 


idmap uid = 20000-22000 
idmap gid = 20000-22000 


16.1.4. winbind use default domain 


The winbind use default domain parameter makes sure winbind also operates on users 
without a domain component in their name. 


winbind use default domain = yes 


16.1.5. [global] section in smb.conf 


Below is our new global section in smb.conf. 


[global] 

workgroup = STARGATE 

security = Domain 

server string = Stargate Domain Member Server 


idmap uid = 20000-22000 
idmap gid = 20000-22000 
winbind use default domain = yes 
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16.1.6. realm in /etc/krb5.conf 


To connect to a Windows 2003 sp2 (or later) you will need to adjust the kerberos realm in 
/etc/krb5.conf and set both lookup statements to true. 


[libdefaults] 

default_realm = STARGATE.LOCAL 
dns_lookup_realm = true 
dns_lookup_kdc = true 


16.1.7. [share] section in smb.conf 


Nothing special is required for the share section in smb.conf. Remember that we do not 
manually create users in smbpasswd or on the Linux (/etc/passwd). Only Active Directory 


users are allowed access. 


[domaindata] 

path = /srv/samba/domaindata 

comment = Active Directory users only 
read only - No 


16.2. joining an Active Directory domain 


While the Samba server is stopped, you can use net rpc join to join the Active Directory 
domain. 


[root@RHEL52 samba]f service smb stop 
Shutting down SMB services: 
Shutting down NMB services: [ 
[root@RHEL52 samba]# net rpc join -U Administrator 


Password: 
Joined domain STARGATE. 


We can verify in the aduc (Active Directory Users and Computers) that a computer account 
is created for this samba server. 
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16.3. winbind 


16.3.1. adding winbind to nsswitch.conf 


The winbind daemon is talking with the Active Directory domain. 


We need to update the /etc/nsswitch.conf file now, so user group and host names can be 
resolved against the winbind daemon. 


[root@RHEL52 samba]# vi /etc/nsswitch.conf 
[root@RHEL52 samba]# grep winbind /etc/nsswitch.conf 


passwd: files winbind 
group: files winbind 
hosts: files dns winbind 


16.3.2. starting samba and winbindd 


Time to start Samba followed by winbindd. 


[root@RHEL4b samba]# service smb start 


Starting SMB services: NOR] 
Starting NMB services: OK 
[root@RHEL4b samba]# service winbind start 

Starting winbindd services: FOK] 


[root@RHEL4b samba] # 


16.4. wbinfo 
16.4.1. verify the trust 


You can use wbinfo -t to verify the trust between your samba server and Active Directory. 
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[root@RHEL52 -]# wbinfo -t 
checking the trust secret via RPC calls succeeded 


16.4.2. list all users 


We can obtain a list of all user with the wbinfo -u command. The domain is not shown when 
the winbind use default domain parameter is set. 


[root@RHEL52 -]# wbinfo -u 
TEACHERO\serena 

TEACHERO\ justine 
TEACHERO\martina 
STARGATE\administrator 
STARGATE\guest 

STARGATE \support_388945a0 
STARGATE\pol 
STARGATE\krbtgt 
STARGATE\arthur 

STARGATE \harry 


16.4.3. list all groups 


We can obtain a list of all domain groups with the wbinfo -g command. The domain is not 
shown when the winbind use default domain parameter is set. 


[root@RHEL52 ~]# wbinfo -g 
BUILTIN\administrators 
BUILTIN\users 
BATMAN\domain computers 
BATMAN\domain controllers 
BATMAN\schema admins 
BATMAN\enterprise admins 
BATMAN\domain admins 
BATMAN\domain users 
BATMAN\domain guests 
BATMAN\group policy creator owners 
BATMAN \dnsupdateproxy 


16.4.4. query a user 


We can use wbinfo -a to verify authentication of a user against Active Directory. Assuming 
a user account harry with password stargate is just created on the Active Directory, we get 
the following screenshot. 


[root@RHEL52 ~]# wbinfo -a harry$stargate 
plaintext password authentication succeeded 
challenge/response password authentication succeeded 


16.5. getent 


We can use getent to verify that winbindd is working and actually adding the Active 
directory users to /etc/passwd. 
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[root@RHEL52 ~]# getent passwd harry 

harry:*:20000:20008:harry potter: /home/BATMAN/harry:/bin/false 
[root@RHEL52 ~]# getent passwd arthur 
arthur:*:20001:20008:arthur dent:/home/BATMAN/arthur:/bin/false 
[root@RHEL52 ~]# getent passwd bilbo 

bilbo:*:20002:20008:bilbo baggins:/home/BATMAN/bilbo:/bin/false 


If the user already exists locally, then the local user account is shown. This is because 
winbind is configured in /etc/nsswitch.conf after files. 


[root@RHEL52 ~]# getent passwd paul 
paul:x:500:500:Paul Cobbaut:/home/paul:/bin/bash 


All the Active Directory users can now easily connect to the Samba share. Files created by 
them, belong to them. 


16.6. file ownership 


[root@RHEL4b samba]# 11 /srv/samba/domaindata/ 


total 0 

-rwxr--r-- 1 justine 20000 0 Jun 22 19:54 create by justine on winxp.txt 
—rwxt--r-—- | venus 20000 0 Jun 22 19:55 create by venus.txt 

SN ME 20000 0 Jun 22 19:57 Maria.txt 
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16.7. practice : samba domain member 


1. Verify that you have a working Active Directory (AD) domain. 


2. Add the domain name and domain controller to /etc/hosts. Set the AD-DNS in /etc/ 
resolv.conf. 


3. Setup Samba as a member server in the domain. 
4. Verify the creation of a computer account in AD for your Samba server. 
5. Verify the automatic creation of AD users in /etc/passwd with wbinfo and getent. 


6. Connect to Samba shares with AD users, and verify ownership of their files. 
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17.1. about Domain Controllers 
17.1.1. Windows NTA 


Windows NT4 works with single master replication domain controllers. There is exactly one 
PDC (Primary Domain Controller) in the domain, and zero or more BDC's (Backup Domain 
Controllers). Samba 3 has all features found in Windows NT4 PDC and BDC, and more. 
This includes file and print serving, domain control with single logon, logon scripts, home 
directories and roaming profiles. 


17.1.2. Windows 200x 


With Windows 2000 came Active Directory. AD includes multimaster replication and group 
policies. Samba 3 can only be a member server in Active Directory, it cannot manage group 
policies. Samba 4 can do this (in beta). 


17.1.3. Samba 3 


Samba 3 can act as a domain controller in its own domain. In a Windows NT4 domain, with 
one Windows NT4 PDC and zero or more BDC's, Samba 3 can only be a member server. 
The same is valid for Samba 3 in an Active Directory Domain. In short, a Samba 3 domain 
controller can not share domain control with Windows domain controllers. 


17.1.4. Samba 4 


Samba 4 can be a domain controller in an Active Directory domain, including managing 
group policies. As of this writing, Samba 4 is not released for production! 


17.2. About security modes 


17.2.1. security z share 


The "Windows for Workgroups' way of working, a client requests connection to a share 
and provides a password for that connection. Aanyone who knows a password for a share 
can access that share. This security model was common in Windows 3.11, Windows 95, 
Windows 98 and Windows ME. 


17.2.2. security = user 


The client will send a userid + password before the server knows which share the client 
wants to access. This mode should be used whenever the samba server is in control of the 
user database. Both for standalone and samba domain controllers. 


17.2.3. security = domain 
This mode will allow samba to verify user credentials using NTLM in Windows NT4 and 


in all Active Directory domains. This is similar to Windows NT4 BDC's joining a native 
Windows 2000/3 Active Directory domain. 
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17.2.4. security = ads 


This mode will make samba use Kerberos to connect to the Active Directory domain. 


17.2.5. security = server 


This mode is obsolete, it can be used to forward authentication to another server. 


17.3. About password backends 


The previous chapters all used the smbpasswd user database. For domain control we opt 
for the tdbsam password backend. Another option would be to use LDAP. Larger domains 
will benefit from using LDAP instead of the not so scalable tdbsam. When you need more 
than one Domain Controller, then the Samba team advises to not use tdbsam. 


17.4. [global] section in smb.conf 


Now is a good time to start adding comments in your smb.conf. First we will take a look at 
the naming of our domain and server in the [global] section, and at the domain controlling 
parameters. 


17.4.1. security 


The security must be set to user (which is the default). This mode will make samba control 
the user accounts, so it will allow samba to act as a domain controller. 


security - user 


17.4.2. os level 


A samba server is the most stable computer in the network, so it should win all browser 
elections (os level above 32) to become the browser master 


os level - 33 


17.4.3. passdb backend 


The passdb backend parameter will determine whether samba uses smbpasswd, tdbsam 
or ldap. 


passdb backend = tdbsam 
17.4.4. preferred master 


Setting the preferred master parameter to yes will make the nmbd daemon force an election 
on startup. 


preferred master - yes 


17.4.5. domain logons 


Setting the domain logons parameter will make this samba server a domain controller. 
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domain logons - yes 


17.4.6. domain master 


Setting the domain master parameter can cause samba to claim the domain master 
browser role for its workgroup. Don't use this parameter in a workgroup with an active 
NT4 PDC. 


domain master - yes 


17.4.7. [global] section 


The screenshot below shows a sample [global] section for a samba domain controller. 


[global] 
# names 

workgroup = SPORTS 

netbios name = DCSPORTS 

server string = Sports Domain Controller 
# domain control parameters 

security = user 


os level = 33 
preferred master = Yes 
domain master = Yes 
domain logons = Yes 


17.5. netlogon share 


Part of the microsoft definition for a domain controller is that it should have a netlogon 
share. This is the relevant part of smb.conf to create this netlogon share on Samba. 


[netlogon] 

comment = Network Logon Service 
path = /srv/samba/netlogon 
admin users = root 

guest ok = Yes 

browseable = No 


17.6. other [share] sections 


We create some sections for file shares, to test the samba server. Users can all access the 
general sports file share, but only group members can access their own sports share. 


[sports] 

comment = Information about all sports 
path = /srv/samba/sports 

valid users = @ntsports 

read only = No 


[tennis] 

comment = Information about tennis 
path = /srv/samba/tennis 

valid users = @nttennis 

read only = No 
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[football] 

comment = Information about football 
path = /srv/samba/football 

valid users = @ntfootball 

read only - No 


17.7. Users and Groups 


To be able to use users and groups in the samba domain controller, we can first set up some 
groups on the Linux computer. 


root@RHEL52 samba]# groupadd ntadmins 
root@RHEL52 samba]# groupadd ntsports 
root@RHEL52 samba]# groupadd ntfootball 


[ 
[ 
[ 
[root@RHEL52 samba]# groupadd nttennis 


This enables us to add group membership info to some new users for our samba domain. 
Don't forget to give them a password. 


[root@RHEL52 samba]# useradd -m -G ntadmins Administrator 
[root@RHEL52 samba]# useradd -m -G ntsports,nttennis venus 
[root@RHEL52 samba]# useradd -m -G ntsports,nttennis kim 
[root@RHEL52 samba]# useradd -m -G ntsports,nttennis jelena 
[root@RHEL52 samba]# useradd -m -G ntsports,ntfootball figo 
[root@RHEL52 samba]# useradd -m -G ntsports,ntfootball ronaldo 
[root@RHEL52 samba]# useradd -m -G ntsports,ntfootball pfaff 


Itis always safe to verify creation of users, groups and passwords in /etc/passwd, /etc/shadow 
and /etc/group. 


[root@RHEL52 samba]# tail -11 /etc/group 
ntadmins:x:507:Administrator 
ntsports:x:508:venus,kim, jelena,figo,ronaldo,pfaff 
ntftootball:x:509:figo, ronaldo, pfaff 
nttennis:x:510:venus, kim, jelena 
Administrator: soles 

venus:x:512: 

kim:x:5135; 

jelena:x:514: 

ELJO OLS: 

ronaldo alto: 

ptaft: x: SI: 


17.8. tdbsam 


Next we must make these users known to samba with the smbpasswd tool. When you add 
the first user to tdbsam, the file /etc/samba/passdb.tdb will be created. 


[root@RHEL52 samba]# smbpasswd -a root 
New SMB password: 
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Retype new SMB password: 
tdbsam open: Converting version 0 database to version 3. 
Added user root. 


Adding all the other users generates less output, because tdbsam is already created. 


[root@RHEL4b samba]# smbpasswd -a root 
New SMB password: 

Retype new SMB password: 

Added user root. 


17.9. about computer accounts 


Every NT computer (Windows NT, 2000, XP, Vista) can become a member of a domain. 
Joining the domain (by right-clicking on My Computer) means that a computer account will 
be created in the domain. This computer account also has a password (but you cannot know 
it) to prevent other computers with the same name from accidentally becoming member of 
the domain. The computer account created by Samba is visible in the /etc/passwd file on 
Linux. Computer accounts appear as a normal user account, but end their name with a dollar 
sign. Below a screenshot of the windows 2003 computer account, created by Samba 3. 


[root@RHEL52 samba]# tail -5 /etc/passwd 
jelena:x:510:514::/home/jelena:/bin/bash 
figos Olio Si /home/ trgo: /DIn/ bash 
ronaldo:x:512:516::/home/ronaldo:/bin/bash 
pfaff:x:513:517::/home/pfaff:/bin/bash 
w2003ee$:x:514:518::/home/nobody: /bin/false 


To be able to create the account, you will need to provide credentials of an account with 
the permission to create accounts (by default only root can do this on Linux). And we will 
have to tell Samba how to to this, by adding an add machine script to the global section 
of smb.conf. 


add machine script - /usr/sbin/useradd -s /bin/false -d /home/nobody $u 


You can now join a Microsoft computer to the sports domain (with the root user). After 
reboot of the Microsoft computer, you will be able to logon with Administrator (password 
Stargatel), but you will get an error about your roaming profile. We will fix this in the next 
section. 


When joining the samba domain, you have to enter the credentials of a Linux account that 
can create users (usually only root can do this). If the Microsoft computer complains with 
The parameter is incorrect, then you possibly forgot to add the add machine script. 


17.10. local or roaming profiles 


For your information, if you want to force local profiles instead of roaming profiles, then 
simply add the following two lines to the global section in smb.conf. 
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logon home - 
logon path 


Microsoft computers store a lot of User Metadata and application data in a user profile. 
Making this profile available on the network will enable users to keep their Desktop and 
Application settings across computers. User profiles on the network are called roaming 
profiles or roving profiles. The Samba domain controller can manage these profiles. First 
we need to add the relevant section in smb.conf. 


[Profiles] 

comment - User Profiles 
path = /srv/samba/profiles 
readonly = No 

profile acls = Yes 


Besides the share section, we also need to set the location of the profiles share (this can be 
another Samba server) in the global section. 


logon path = \\%L\Profiles\%U 


The %L variable is the name of this Samba server, the %U variable translates to the 
username. After adding a user to smbpasswd and letting the user log on and off, the profile 
of the user will look like this. 


[root@RHEL4b samba]# 11 /srv/samba/profiles/Venus/ 
total 568 


10:03 PrintHood 
10:03 Recent 
10:03 SendTo 
10:03 Start Menu 
10:03 Templates 


Venus Venus 4096 Jul 
Venus Venus 4096 Jul 
Venus Venus 4096 Jul 
Venus Venus 4096 Jul 
Venus Venus 4096 Jul 


drwxr-xr-x 
drwxr-xr-x 
drwxr-xr-x 
drwxr-xr-x 
drwxr-xr-x 


drwxr-xr-x 4 Venus Venus 4096 Jul 5 10:03 Application Data 
drwxr-xr-x 2 Venus Venus 4096 Jul 5 10:03 Cookies 
drwxr-xr-x 3 Venus Venus 4096 Jul 5 10:03 Desktop 
drwxr-xr-x 3 Venus Venus 4096 Jul 5 10:03 Favorites 
drwxr-xr-x 4 Venus Venus 4096 Jul 5 10:03 My Documents 
drwxr-xr-x 2 Venus Venus 4096 Jul 5 10:03 NetHood 
-rwxr--r-- 1 Venus Venus 524288 Jul 5 2007 NTUSER.DAT 
-rwxr--r-- 1 Venus Venus 1024 Jul 5 2007 NTUSER.DAT.LOG 
-rw-r--r-- 1 Venus Venus 268 Jul 5 10:03 ntuser.ini 

2 5 

2 5 

2 5 

3 5 

2 5 


17.11. Groups in NTFS acls 


We have users on Unix, we have groups on Unix that contain those users. 


[root@RHEL4b samba]# grep nt /etc/group 


ntadmins:x:506:Administrator 
ntsports:x:507:Venus,Serena,Kim,Figo,Pfaff 
nttennis:x:508:Venus,Serena,Kim 
atfootball s: 509: Frigo Ef arts 
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[root@RHEL4b samba] # 


We already added Venus to the tdbsam with smbpasswd. 


smbpasswd -a Venus 


Does this mean that Venus can access the tennis and the sports shares ? Yes, all access 
works fine on the Samba server. But the nttennis group is not available on the windows 
machines. To make the groups available on windows (like in the ntfs security tab of files 
and folders), we have to map unix groups to windows groups. To do this, we use the net 
groupmap command. 


root@RH 
No rido 
Successu 


EL4b samba]# net groupmap add ntgroup="tennis" unixgroup=nttennis type-d 
r sid specified, choosing algorithmic mapping 
lly added group tennis to the mapping db 
root@RHEL4b samba]# net groupmap add ntgroup="football" unixgroup=ntfootball type=d 
No rid or sid specified, choosing algorithmic mapping 
Successully added group football to the mapping db 
root@RHEL4b samba]# net groupmap add ntgroup="sports" unixgroup=ntsports type=d 
No rid or sid specified, choosing algorithmic mapping 
lly added group sports to the mapping db 
EL4b samba] # 


Now you can use the Samba groups on all NTFS volumes on members of the domain. 


17.12. logon scripts 


Before testing a logon script, make sure it has the proper carriage returns that DOS files have. 


[root@RHEL4b netlogon]# cat start.bat 

net use Z: \\DCSPORTSO\SPORTS 

[root@RHEL4b netlogon]# unix2dos start.bat 
unix2dos: converting file start.bat to DOS format 
[root@RHEL4b netlogon] # 


Then copy the scripts to the netlogon share, and add the following parameter to smb.conf. 


logon script = start.bat 
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17.13. practice: samba domain controller 


]. Setup Samba as a domain controller. 


2. Create the shares salesdata, salespresentations and meetings. Salesdata must be accessible 
to all sales people and to all managers. SalesPresentations is only for all sales people. 
Meetings is only accessible to all managers. Use groups to accomplish this. 


3. Join a Microsoft computer to your domain. Verify the creation of a computer account 
in /etc/passwd. 


4. Setup and verify the proper working of roaming profiles. 


5. Find information about home directories for users, set them up and verify that users receive 
their home directory mapped under the H:-drive in MS Windows Explorer. 


6. Use a couple of samba domain groups with members to set acls on ntfs. Verify that it 
works! 


7. Knowing that the %m variable contains the computername, create a separate log file for 
every computer(account). 


8. Knowing that 96s contains the client operating system, include a smb.%s.conf file that 
contains a share. (The share will only be visible to clients with that OS). 


9. If time permits (or if you are waiting for other students to finish this practice), then 
combine "valid users" and "invalid users" with groups and usernames with "hosts allow" 
and "hosts deny" and make a table of which get priority over which. 
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a brief look at samba 4 
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18.1. Samba 4 alpha 6 


A quick view on Samba 4 alpha 6 (January 2009). You can also follow this guide http:// 
wiki.samba.org/index.php/Samba4/HOWTO 


Remove old Samba from Red Hat 


yum remove samba 
set a fix ip address (Red Hat has an easy GUI) 


download and untar 


samba.org, click 'download info', choose mirror, dl samba4 latest alpha 


once untarred, enter the directory and read the howto4.txt 
cd samba-4.0.0alpha6/ 


more howto4.txt 


first we have to configure, compile and install samba4 
cd source4/ 

./configure 

make 

make install 


Then we can use the provision script to setup our realm. I used booi.schot as domain name 
(instead of example.com). 


./setup/provision --realm-BOOI.SCHOT domain-BOOI adminpass-stargate \ 
server-role-'domain controller' 


1 added a simple share for testing 


vi /usr/local/samba/etc/smb.conf 


then i started samba 
cd /usr/local/samba/sbin/ 


./samba 


I tested with smbclient, it works 


smbclient //localhost/test -Uadministrator$stargate 


I checked that bind (and bind-chroot) were installed (yes), so copied the srv records 


cp booi.schot.zone /var/named/chroot/etc/ 


then appended to named.conf 


cat named.conf >> /var/named/chroot/etc/named.conf 
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I followed these steps in the howto4.txt 


vi /etc/init.d/named [added two export lines right after start()] 
chmod a+r /usr/local/samba/private/dns.keytab 
ep krbb.cont /etc/ 
vi /var/named/chroot/etc/named. conf 
--» remove a lot, but keep allow-update { any; }; 


restart bind (named!), then tested dns with dig, this works (stripped screenshot!) 


[root@RHEL52 private]# dig _ldap._tcp.dc._msdcs.booi.schot SRV @localhost 
; (1 server found) 

Vy Global op tn onset cma 

;; Got answer: 

;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 58186 

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 


;; QUESTION SECTION: 
idap arch de -emsdes Poor sebo o ENT ORV 


;; AUTHORITY SECTION: 
10800 IN SOA A.ROOT-SERVERS.NET.... 


;; Query time: 54 msec 
2 SERVER: T27 OS COOP) 
7; WHEN: Tue Jan 27 20:57:05 2009 
7) MSG STZ eva: T24 


[root@RHEL52 private] # 


made sure /etc/resolv.conf points to himself 


[root@RHEL52 private]# cat /etc/resolv.conf 
search booi.schot 
nameserver 127.0.0.1 


start windows 2003 server, enter the samba4 as DNS! 


ping the domain, if it doesn't work, then add your redhats hostname and your realm to 
windows/system32/drivers/etc/hosts 


join the windows computer to the domain 
reboot the windows 

log on with administrator stargate 

start run dsa.msc to manage samba4 


create an OU, a user and a GPO, test that it works 
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Chapter 19. introduction to SELinux 


Security Enhanced Linux or SELinux is a set of modifications developed by the United 
States National Security Agency (NSA) to provide a variety of security policies for Linux. 
SELinux was released as open source at the end of 2000. Since kernel version 2.6 it is an 
integrated part of Linux. 


SELinux offers security! SELinux can control what kind of access users have to files and 
processes. Even when a file received chmod 777, SELinux can still prevent applications 
from accessing it (Unix file permissions are checked first!). SELinux does this by placing 
users in roles that represent a security context. Administrators have very strict control on 
access permissions granted to roles. 


SELinux is present in the latest versions of Red Hat Enterprise Linux, Debian, CentOS, 
Fedora, and many other distributions.. 
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19.1. selinux modes 


selinux knows three modes: enforcing, permissive and disabled. The enforcing mode will 
enforce policies, and may deny access based on selinux rules. The permissive mode will not 
enforce policies, but can still log actions that would have been denied in enforcing mode. 
The disabled mode disables selinux. 


19.2. logging 


Verify that syslog is running and activated on boot to enable logging of deny messages in 
/var/log/messages. 


[root@rhel55 ~]# chkconfig --list syslog 
syslog Oi off otf 2*0n 3: 0n Alon Son Groff 


Verify that auditd is running and activated on boot to enable logging of easier to read 
messages in /var/log/audit/audit.log. 


[root@rhe1l55 ~]# chkconfig --list auditd 
auditd Qro tolto f Avon Son Aron Scion OO re 


If not activated, then run chkconfig --levels 2345 auditd on and service auditd start. 
[root@rhel55 -]# service auditd status 

auditd (pid 1660) is running... 

[root@rhel55 ~]# service syslog status 


syslogd (pid 1688) is running... 
krogad (pid T691) Is ISTIS. 


The /var/log/messages log file will tell you that selinux is disabled. 


root@deb503:~# grep -i selinux /var/log/messages 
Jun 25 15:59:34 deb503 kernel: [ 0.084083] SELinux: Disabled at boot. 


Or that it is enabled. 


root@deb503:~# grep SELinux /var/log/messages | grep cst Emit 
Jun 25 15:09:52 deb503 kernel: [ 0.084094] SELinux: iniketal zine. 


19.3. activating selinux 


On RHEL you can use the GUI tool to activate selinux, on Debian there is the selinux- 
activate command. Activation requires a reboot. 


root@deb503:~# selinux-activate 
Activating SE Linux 


Searching for GRUB installation directory ... found: /boot/grub 

Searching for default file ... found: /boot/grub/default 

Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst 
Searching for splash image ... none found, skipping 

Found kernel: /boot/vmlinuz-2.6.26-2-686 

Updating /boot/grub/menu.lst ... done 


SE Linux is activated. You may need to reboot now. 
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19.4. getenforce 


Use getenforce to verify whether selinux is enforced, disabled or permissive. 


[root@rhel55 ~]# getenforce 
Permissive 


The /selinux/enforce file contains 1 when enforcing, and 0 when permissive mode is active. 


root@fedoral3 ~# cat /selinux/enforce 
lroot@fedoral3 ~# 


19.5. setenforce 


You can use setenforce to switch between the Permissive or the Enforcing state once 
selinux is activated.. 


[root@rhel55 ~]# setenforce Enforcing 
[root@rhel55 ~]# getenforce 

Enforcing 

[root@rhel55 ~]# setenforce Permissive 
[root@rhel55 ~]# getenforce 

Permissive 


Or you could just use 0 and 1 as argument. 


[root@centos65 ~]# setenforce 1 
[root@centos65 ~]# getenforce 
Enforcing 

[root@centos65 ~]# setenforce 0 
[root@centos65 ~]# getenforce 
Permissive 

[root@centos65 ~]# 
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19.6. sestatus 


You can see the current selinux status and policy with the sestatus command. 


[root@rhel55 -]# sestatus 


SELinux status: enabled 
SELinuxfs mount: /selinux 
Current mode: permissive 
Mode from config file: permissive 
Policy version: 21 

Policy from config file: targeted 


19.7. policy 


Most Red Hat server will have the targeted policy. Only NSA/FBI/CIA/DOD/HLS use the 
mls policy. 


The targted policy will protect hundreds of processes, but lets other processes run 
'unconfined' (= they can do anything). 


19.8. /etc/selinux/config 


The main configuration file for selinux is /etc/selinux/config. When in permissive mode, 
the file looks like this. 


The targeted policy is selected in /etc/selinux/config. 


[root@centos65 ~]# cat /etc/selinux/config 
# This file controls the state of SELinux on the system. 
# SELINUX- can take one of these three values: 


# enforcing - SELinux security policy is enforced. 
# permissive - SELinux prints warnings instead of enforcing. 
# disabled - SELinux is fully disabled. 


SELINUX-permissive 

# SELINUXTYPE- type of policy in use. Possible values are: 

# targeted - Only targeted network daemons are protected. 
# Strict — Hull SELINUX protection. 

SELINUXTYPE=targeted 
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19.9. DAC or MAC 


Standard Unix permissions use Discretionary Access Control to set permissions on files. 


This means that a user that owns a file, can make it world readable by typing chmod 777 
$file. 


With selinux the kernel will enforce Mandatory Access Control which strictly controls 
what processes or threads can do with files (superseding DAC). Processes are confined by 
the kernel to the minimum access they require. 


SELinux MAC is about labeling and type enforcing! Files, processes, etc are all labeled with 
an SELinux context. For files, these are extended attributes, for processes this is managed 
by the kernel. 


The format of the labels is as follows: 


user:role:type: (level) 


We only use the type label in the targeted policy. 
19.10. Is -Z 


To see the DAC permissions on a file, use Is -l to display user and group owner and 
permissions. 


For MAC permissions there is new -Z option added to Is. The output shows that file in /root 
have a XXXtype of admin home t. 


[root@centos65 ~]# ls -Z 


ST ======= . root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg 
-rw-r--r--. root root system u:object r:admin home t:s0 install.log 
-rw-r--r--. root root system u:object r:admin home t:s0 install.log.syslog 


[root@centos65 ~]# useradd -m -s /bin/bash pol 
[root@centos65 ~]# ls -Z /home/pol/.bashrc 
SEW=E==E== pol pol unconfined ul: object r:user home t:s0 /home/pol/ .bashre 


19.11. -Z 


There are also some other tools with the -Z switch: 


mkdir -Z 
ep =Z 
joss =A 


netstat —Z 


213 


introduction to SELinux 


19.12. /selinux 


When selinux is active, there is a new virtual file system named /selinux. (You can compare 
it to /proc and /dev.) 


DOOL FOO 
root roo 
foot LOO 


-rw-rw-rw-. Apr 12 19:40 relabel 
Apr 12 19:40 status 


Apr 12 19:40 user 


=r==r==r==, 


[root@centos65 ~]# ls -1 /selinux/ 
total 0 
FEW=SEW=EW=> L root root 0 Apr 12 19:40 access 
dro xr- xr x. 2 root FOCE 0 Apr 12 19:40 avc 
dr- xe- ZO O BO OE O Apr 12 19:40 booleans 
O O OO O Apr 12 19:40 checkregprot 
dr- xr-xr=x. 83 root root O Apr 12 19:40 class 
==y2====== I root root O Apr 12 19:40 commit_pending_bools 
ANS ENS ENS. d root root O Apr 12 19:40 context 
ray db EOOC BOE O Apr 12 19:40 create 
Sr... T root oO O Apr 12 19:40 deny unknown 
=== ====== a ico root O Apr 12 19:40 disable 
DN LI Tl root OE O Apr 12 19:40 enforce 
Cher Zone ole O Apr 12 19:40 initial contexts 
REW —————— T root root 0 Apr 12 19:40 load 
aii, db root OO O Apr 12 19:40 member 
rege EOS O AOS E O Apr 12 19:40 mls 
GrW- EW- EW db TOOL SOL MS AT Td Ort 
geo L root Coot © Apr 12 19:40 policy 
APS YA root reto Xe 0 Apr 12 19:40 policy capabilities 
Ege O OO OE O Apr 12 19:40 policyvers 
Se, b OE oe O Apr 12 19:40 reject unknown 

1 E 0 

dl ite 0 

1 E 0 


RESEWEW-ÉEW-. 
Although some files in /selinux appear wih size 0, they often contain a boolean value. Check 
/selinux/enforce to see if selinux is running in enforced mode. 

[root@RHEL5 ~]# 1s -1 /selinux/enforce 

SEW ro r di root root 0) e 29 08321 ¡SE /entonce 


[root@RHEL5 ~]# echo $(cat /selinux/enforce) 
di 


19.13. identity 


The SELinux Identity of a user is distinct from the user ID. An identity is part of a security 
context, and (via domains) determines what you can do. The screenshot shows user root 
having identity user  u. 


[root@rhel55 ~]# id -Z 
user u:system r:unconfined t 


19.14. role 


The selinux role defines the domains that can be used. A role is denied to enter a domain, 
unless the role is explicitely authorized to do so. 
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19.15. type (or domain) 


The selinux context is the security context of a process. An selinux type determines what a 
process can do. The screenshot shows init running in type init t and the mingetty's running 
in type getty t. 


[root@centos65 -]# ps fax -Z | grep /sbin/init 


system_u:system_r:init_t:s0 IR Ss 0:00 /sbin/init 
[root@centos65 ~]# ps fax -Z | grep getty_t 

system_u:system_r:getty_t:s0 1307 ttyl Ss+ 0:00 /sbin/mingetty /dev/ttyl 
System u:system r:getty_t:s0 SOS EZ Ss+ 0:00 /sbin/mingetty /dev/tty2 
system u:system r:getty_t:s0 qog tes Ss+ 0:00 /sbin/mingetty /dev/tty3 
system_u:system_r:getty_t:s0 T313 EVA Ss+ 0:00 /sbin/mingetty /dev/tty4 
System u:system r:getty t:s0 1320 tty5 Ss+ 0:00 /sbin/mingetty /dev/tty5 
system_u:system_r:getty_t:s0 USO tty6 Ss+ 0:00 /sbin/mingetty /dev/tty6 


The selinux type is similar to an selinux domain, but refers to directories and files instead 
of processes. 


Hundreds of binaries also have a type: 


[root@centos65 sbin]# ls -1Z useradd usermod userdel httpd postcat postfix 
-rwXr-xr-x. root root system u:object r:httpd exec t:s0 httpd 

-rwxr-Xxr-x. root root system u:object r:postfix master exec t:sÜ0 postcat 
-rwxXr-xr-x. root root system u:object r:postfix master exec t:s0 postfix 


-rwxr-x---. root root system u:object r:useradd exec t:s0 useradd 
-rwxr-x---. root root system u:object r:useradd exec t:s0 userdel 
-rwxr-x---. root root system u:object r:useradd exec t:s0 usermod 


Ports also have a context. 
[root@centos65 sbin]# netstat -nptlZ | Ern =s UT | cub =d" =" -f6- 


Foreign Address State PID/Program name Security Context 
LISTEN 1096/rpcbind system u:system r:rpcbind t:s0 
LISTEN 1208/sshd system u:system r:sshd t:s0-s0:c0.c1023 
LISTEN 1284/master system u:system r:postfix master t:s0 
LISTEN 1114/rpc.statd system u:system r:rpcd t:s0 

LISTEN 1096/rpcbind system u:system r:rpcbind t:s0 
LISTEN 1666/httpd unconfined u:system r:httpd t:s0 
LISTEN 1208/sshd system u:system r:sshd t:s0-s0:c0.c1023 
LISTEN 1114/rpc.statd system u:system r:rpcd_t:s0 

LISTEN 1284/master system u:system r:postfix master t:s0 


You can also get a list of ports that are managed by SELinux: 


[root@centos65 ~]# semanage port -1 | tail 

xfs POrE E tcp 7100 

xserver port t TEP 6000-6150 
zabbix agent port t tcp 10050 

zabbix port t tcp 10051 

zarafa port t ep 23067 237 

zebra port t tcp 2600-2604, 2606 
zebra port t udp 2600-2604, 2606 
zented port t IE 1229 
zented_port_t udp 1229 
zope_port_t tcp 8021 
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19.16. security context 


The combination of identity, role and domain or type make up the selinux security context. 
The id will show you your security context in the form identity:role:domain. 


[paul@RHEL5 ~]$ id | cut -d' ' -f4 
context-user u:system r:unconfined t 


The Is -Z command shows the security context for a file in the form identity:role:type. 


[paul@RHEL5 -]$ ls -Z test 
-rw-rw-r-- paul paul user u:object r:user home t Cest 


The security context for processes visible in /proc defines both the type (of the file in /proc) 
and the domain (of the running process). Let's take a look at the init process and /proc/1/. 


The init process runs in domain init_t. 
[root@RHEL5 -]# ps -ZC init 


LABEL ¡DA CELY TIME CMD 
system_u:system_r:init_t i Y OOOO OM TNIE 


The /proc/1/ directory, which identifies the init process, has type init t. 


[root@RHEL5 ~]# ls -Zd /proc/1/ 
dr-xr-xr-x root root system u:system r:init t proc 1 


It is not a coincidence that the domain of the init process and the type of /proc/1/ are both 
init t. 


Don't try to use chcon on /proc! It will not work. 


19.17. transition 


An selinux transition (aka an selinux labelling) determines the security context that will be 
assigned. A transition of process domains is used when you execute a process. A transition 
of file type happens when you create a file. 


An example of file type transition. 


[pol@centos65 ~]$ touch test /tmp/test 
[polGcentos65 ~]$ ls -Z test 


-rw-rw-r--. pol pol unconfined u:object r:user home t:s0 test 
[pol@centos65 ~]$ ls -Z /tmp/test 
-rw-rw-r--. pol pol unconfined u:object r:user tmp t:s0 /tmp/test 
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19.18. extended attributes 


Extended attributes are used by selinux to store security contexts. These attributes can be 
viewed with Is when selinux is running. 


[root@RHEL5 home]# 1s --context 

lia ip paul paul system_u:object_r:user_home_dir_t paul 
drwxr-xr-x root root user u:object r:user home dir t project42 
drwxr-xr-x root root user u:object r:user home dir t project55 
[root@RHEL5 home]# ls -Z 

ela ip paul paul system_u:object_r:user_home_dir_t paul 
drwxr-xr-x root root user u:object r:user home dir t project42 
drwxr-xr-x root root user u:object r:user home dir t project55 
[root@RHEL5 home] # 


When selinux is not running, then getfattr is the tool to use. 
[root@RHEL5 etc]# getfattr -m . -d hosts 


# file: hosts 
security.selinux-"system u:object r:etc t:s0N000" 


19.19. process security context 


A new option is added to ps to see the selinux security context of processes. 


[root@RHEL5 etc]# ps -ZC mingetty 


LABEL BARDA ARE TIME CMD 
system_u:system_r:getty_t 2941 t EVE 00:00:00 mingetty 
system u:system r:getty t 2942 tty2 00:00:00 mingetty 


19.20. chcon 


Use chcon to change the selinux security context. 


This example shows how to use chcon to change the type of a file. 


[root@rhel55 ~]# ls -Z /var/www/html/test42.txt 


-rw-r--r-- root root user u:object r:httpd sys content t /var/www/html/test4\ 
2.txt 


[root@rhel55 ~]# chcon -t samba share t /var/www/html/test42.txt 
[root@rhel55 ~]# ls -Z /var/www/html/test42.txt 
-rw-r--r-- root root user u:object r:samba share t /var/www/html/test42.txt 


Be sure to read man chcon. 
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19.21. an example 


The Apache2 webserver is by default targeted with SELinux. The next screenshot shows 
that any file created in /var/www/html will by default get the httpd, sys content t type. 


[root@centos65 ~]# touch /var/www/html/test42.txt 

[root@centos65 -]# ls -Z /var/www/html/test42.txt 

-rw-r--r--. root root unconfined u:object r:httpd sys content t:s0 /var/www/h\ 
tml/test42.txt 


Files created elsewhere do not get this type. 
[root@centos65 ~]# touch /root/test42.txt 


[root@centos65 ~]# ls -Z /root/test42.txt 
rw e r a FOO root unconfined u:object r'acmin home t 7s0))/rnoot/test42 txt 


Make sure Apache2 runs. 


[root@centos65 ~]# service httpd restart 
Stopping httpd: [SORS] 
Starting httpd: [OE 


Will this work ? Yes it does. 


[root@centos65 ~]# wget http://localhost/test42.txt 


--2014-04-12 20:56:47-- http://localhost/test42.txt 
Resolving localhost deesse 127.0. E 

Connecting to localhost|::1|:80... connected. 

HTTP request sent, awaiting response... 200 OK 


Length: 0 [text/plain] 
Saving to: "test42.txt" 


Why does this work ? Because Apache2 runs in the httpd t domain and the files in /var/ 
www/html have the httpd sys content t type. 


[root@centos65 ~]# ps -ZC httpd | head -4 


LABEL BARTO ARIE NE TIME CMD 

unconfined u:system r:httpd t:s0 1666 ? 00:00:00 httpd 
unconfined u:system r:httpd t:s0 1668 ? 00:00:00 httpd 
unconfined u:system r:httpd t:s0 1669 ? 00:00:00 httpd 
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So let's set SELinux to enforcing and change the type of this file. 


[root@centos65 ~]# chcon -t samba share t /var/www/html/test42.txt 
[root@centos65 ~]# ls -Z /var/www/html/test42.txt 


-rw-r--r--. root root unconfined u:object r:samba share t:s0 /var/www/html/tN 
est42.txt 

[root@centos65 ~]# setenforce 1 

[root@centos65 ~]# getenforce 

Enforcing 


There are two possibilities now: either it works, or it fails. It works when selinux is in 
permissive mode, it fails when in enforcing mode. 


[root@centos65 ~]# wget http://localhost/test42.txt 


--2014-04-12 21:05:02-- http://localhost/test42.txt 
Resolving localhost <17 OO SE 

Connecting to localhost|::1|:80... connected. 

HTTP request sent, awaiting response... 403 Forbidden 


2014-04-12 21:05:02 ERROR 403: Forbidden. 


The log file gives you a cryptic message... 


[root@centos65 ~]# tail -3 /var/log/audit/audit.log 

type-SYSCALL msg=audit (1398200702.803:64): arch=c000003e syscall=4 succ\ 
ess-no exit=-13 a0-7f5fbc334d70 al=7fff553b4f10 a2=7fff553b4f10 a3=0 it^ 
ems=0 ppid-1666 pid-1673 auid=500 uid=48 gid=48 euid-48 suid-48 fsuid=4\ 
8 egid-48 sgid=48 fsgid=48 tty=(none) ses-1 comm-"httpd" exe="/usr/sbin\ 
/httpd" subj-unconfined u:system r:httpd t:s0 key- (null) 

type-AVC msg-audit(1398200702.804:65): avc: denied { getattr ) for p^ 
id-1673 comm="httpd" path="/var/www/html/test42.txt" dev-dm-0 ino=26324\ 
1 scontext-unconfined u:system r:httpd t:s0 tcontext=unconfined_u:objec\ 
t r:samba share t:s0 tclass-file 

type-SYSCALL msg=audit (1398200702.804:65): arch-c000003e syscall=6 succ\ 
ess-no exit--13 a0-7f5fbc334e40 al=7fff553b4f10 a2=7fff553b4f10 a3-1 it^ 
ems=0 ppid-1666 pid-1673 auid-500 uid-48 gid-48 euid-48 suid-48 fsuid=4\ 
8 egid-48 sgid-48 fsgid-48 tty-(none) ses-1 comm-"httpd" exe="/usr/sbin\ 
/httpd" subj-unconfined u:system r:httpd t:s0 key- (null) 


And /var/log/messages mentions nothing of the failed download. 


219 


introduction to SELinux 


19.22. setroubleshoot 


The log file above was not very helpful, but these two packages can make your life much 
easier. 


[root@centos65 ~]# yum -y install setroubleshoot setroubleshoot-server 


You need to reboot for this to work... 


So we reboot, restart the httpd server, reactive SELinux Enforce, and do the wget again... 
and it fails (because of SELinux). 


root@centos65 ~]# service httpd restart 
Stopping httpd: [FAILED] 
Starting httpd: [ OK J 
root@centos65 ~]# getenforce 
Permissive 
root@centos65 ~]# setenforce 1 
root@centos65 ~]# getenforce 
Enforcing 
root@centos65 ~]# wget http://localhost/test42.txt 
--2014-04-12 21:44:13-- http://localhost/test42.txt 
Resolving localhost. OO Nal 
Connecting to localhost|::1|:80... connected. 
HTTP request sent, awaiting response... 403 Forbidden 


2014-04-12 21:44:13 ERROR 403: Forbidden. 


The /var/log/audit/ is still not out best friend, but take a look at /var/log/messages. 


[root@centos65 ~]# tail -2 /var/log/messages 

Apr 12 21:44:16 centos65 setroubleshoot: SELinux is preventing /usr/sbin/h\ 
ttpd from getattr access on the file /var/www/html/test42.txt. For complete \ 
SELinux messages. run sealert -1 b2a84386—-54c1-4344-96fb-dcf969776696 

Apr 12 21:44:16 centos65 setroubleshoot: SELinux is preventing /usr/sbin/h\ 
ttpd from getattr access on the file /var/www/html/test42.txt. For complete \ 
SELinux messages. run sealert -l1 b2a84386—-54c1-4344-96fb-dcf969776696 


So we run the command it suggests... 


[root@centos65 ~]# sealert -1 b2a84386-54c1-4344-96fb-dcf969776696 
SELinux is preventing /usr/sbin/httpd from getattr access on the file /va\ 
r/www/html/test42.txt. 


presses ge store con 2 contgcenmcepn sce sts E LEE 


If you want to fix the label. 

/var/www/html/test42.txt default label should be httpd sys content t. 
Then you can run restorecon. 

Do 

# /sbin/restorecon -v /var/www/html/test42.txt 
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We follow the friendly advice and try again to download our file: 


[root@centos65 ~]# /sbin/restorecon -v /var/www/html/test42.txt 
/sbin/restorecon reset /var/www/html/test42.txt context unconfined_u:objec\ 
t r:samba share t:s0-»unconfined u:object r:httpd sys content t:s0 
[root@centos65 ~]# wget http://localhost/test42.txt 


--2014-04-12 21:54:03-- http://localhost/test42.txt 
Resolving localhost.. 17 127-070. 

Connecting to localhost|::1|:80... connected. 

HTTP request sent, awaiting response... 200 OK 

It works! 
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19.23. booleans 


Booleans are on/off switches 


[root@centos65 ~]# getsebool -a | head 
abrt_anon_write --> off 

abrt handle event --> off 

llow console login --> on 

llow cvs read shadow --> off 

llow daemons dump core --> on 

llow daemons use tcp wrapper --> off 
llow daemons use tty --> on 

llow domain fd use --> on 

llow execheap --> off 

llow execmem --> on 


momp mpm 


You can set and read individual booleans. 


[root@centos65 ~]# setsebool httpd_read_user_content=1 
[root@centos65 ~]# getsebool httpd_read_user_content 
httpd read user content --> on 


[root@centos65 ~]# setsebool httpd enable homedirs-1 
[root@centos65 ~]# getsebool httpd enable homedirs 
httpd enable homedirs --> on 


You can set these booleans permanent. 


[root@centos65 ~]# setsebool -P httpd enable homedirs-1 
[root@centos65 ~]# setsebool -P httpd read user content-1 


The above commands regenerate the complete /etc/selinux/targeted directory! 
[root@centos65 ~]# cat /etc/selinux/targeted/modules/active/booleans.local 
# This file is auto-generated by libsemanage 


# Do not edit directly. 


httpd enable homedirs-1 
httpd read user content-1 
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Chapter 20. git 


This chapter is an introduction to using git on the command line. The git repository is hosted 
by github, but you are free to choose another server (or create your own). 


There are many excellent online tutorials for git. This list can save you one Google query: 


http://gitimmersion.com/ 
http://git-scm.com/book 
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20.1. git 


Linus Torvalds created git back in 2005 when Bitkeeper changed its license and the Linux 
kernel developers where no longer able to use it for free. 


git quickly became popular and is now the most widely used distributed version control 
system in the world. 


Geek and Poke demonstrates why we need version control (image property of Geek and 
Poke CCA 3.0). 


SIMPLY EXPLAINED 


oxod'$x9o95 


budget estimation final vl.l-ow.xlsx 
OR 
budget estimation last version 2.xlsx 


OR 


budget estimation 2012 10 25 ready new.xlsx ? 


VERSION CONTROL 


Besides source code for software, you can also find German and Icelandic law on github 
(and probably much more by the time you are reading this). 
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20.2. installing git 


We install git with aptitude install git as seen in this screenshot on Debian 6. 


root@debian6:~# aptitude install git 
The following NEW packages will be installed: 
git libcurl3-gnutls{a} liberror-perl{a} 
0 packages upgraded, 3 newly installed, 0 to remove and 0 not upgraded. 


Processing triggers for man-db 

Setting up libcurl3-gnutls (7.21.0-2.1+squeeze2) 
Setting up liberror-perl (0.17-1) 

Setting up gue sd 2:5-—9) 


20.3. starting a project 


First we create a project directory, with a simple file in it. 


paul@debian6~S mkdir project42 
paul@debian6~$ cd project42/ 
paul@debian6~/project42$ echo "echo The answer is 42." >> question.sh 


20.3.1. git init 


Then we tell git to create an empty git repository in this directory. 


paul@debian6~/project42$ ls -la 

total 12 

drwxrwxr-x 2 paul paul 4096 Dec 8 16:41 

drwxr-xr-x 46 paul paul 4096 Dec 8 16:41 

ESGWESEWI IU I paul paul 23 Dec 8 16:41 question.sh 
paul@debian6~/project42$ git init 

Initialized empty Git repository in /home/paul/project42/.git/ 
paul@debian6~/project42$ ls -la 

total ikg 


drwxrwxr-x 3 paul paul 4096 Dec 8 16:44 

drwxr-xr-x 46 paul paul 4096 Dec 8 16:41 .. 
drwxrwxr-x 7 paul paul 4096 Dec 8 16:44 .git 
rw- Ew r= l paul paul 23 Dec 8 16:41 question.sh 


20.3.2. git config 


Next we use git config to set some global options. 


paul@debian6$ git config --global user.name Paul 
paul@debian6$ git config --global user.email "paul.cobbaut@gmail.com" 
paul@debian6$ git config --global core.editor vi 


We can verify this config in ~/.gitconfig: 


paul@debian6~/project42$ cat ~/.gitconfig 
[user] 

name = Paul 

email = paul.cobbaut@gmail.com 

[core] 

editor = vi 


20.3.3. git add 


Time now to add file to our project with git add, and verify that it is added with git status. 
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paul@debian6~/project42$ git add question.sh 
paul@debian6~/project42$ git status 
# On branch master 


# 

# Initial commit 

# 

# Changes to be committed: 

# (use "git rm --cached <file>..." to unstage) 
# 

# new file: question.sh 

# 


The git status tells us there is a new file ready to be committed. 
20.3.4. git commit 


With git commit you force git to record all added files (and all changes to those files) 
permanently. 


paul@debian6~/project42$ git commit -m "Starting a project" 
[master (root-commit) 5c10768] starting a project 
1 file changed, 1 insertion(+) 
create mode 100644 question.sh 
paul@debian6~/project42$ git status 
# On branch master 
nothing to commit (working directory clean) 


20.3.5. changing a committed file 


The screenshots below show several steps. First we change a file: 


paul@debian6~/project42$ git status 

# On branch master 

nothing to commit (working directory clean) 
paul@debian6~/project42$ vi question.sh 


Then we verify the status and see that it is modified: 


paul@debian6~/project42$ git status 
# On branch master 
# Changes not staged for commit: 


# (use "git add <file>..." to update what will be committed) 

# (use "git checkout <file>..." to discard changes in working directory) 
# 

# modified: question.sh 

# 


no changes added to commit (use "git add" and/or "git commit -a") 


Next we add it to the git repository. 


paul@debian6~/project42$ git add question.sh 
paul@debian6~/project42$ git commit -m "adding a she-bang to the main script" 
[master 8658347] adding a she-bang to the main script 
1 file changed, 1 insertion (+) 
paul@debian6~/project42$ git status 
# On branch master 
nothing to commit (working directory clean) 


20.3.6. git log 


We can see all our commits again using git log. 
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paul@debian6~/project42$ git log 

commit 86b8347192ea025815df7a8e628d99474b41fb6c 
Author: Paul <paul.cobbaut@gmail.com> 

Date: Sat Dee 8 17:12:24 2012 +0100 


adding a she-bang to the main script 
commit 5c10768f29aeccl6161fb197765e0f14383f7bca 


Author: Paul <paul.cobbaut@gmail.com> 
Date: Sat Dec 8 17509729 2012 FOTOO 


starting a project 


The log format can be changed. 


paul@debian6~/project42$ git log --pretty=oneline 
86b8347192ea025815df7a8e628d99474b41fb6c adding a she-bang to the main script 
5c10768f29aecc16161fb197765e0f14383f7bca starting a project 


The log format can be customized a lot. 


paul@debian6~/project42$ git log --pretty-format:"$an: $ar :%s" 
Paul: 8 minutes ago :adding a she-bang to the main script 
Paul: 11 minutes ago :starting a project 


20.3.7. git mv 


Renaming a file can be done with mv followed by a git remove and a git add of the new 
filename. But it can be done easier and in one command using git mv. 


paul@debian6~/project42$ git mv question.sh thequestion.sh 
paul@debian6~/project42$ git status 

# On branch master 

# Changes to be committed: 


# (use "git reset HEAD <file>..." to unstage) 
# 

# renamed: question.sh -» thequestion.sh 

T 


paul@debian6~/project42$ git commit -m "improved naming scheme" 
[master 69b2c8b] improved naming scheme 

1 file changed, 0 insertions(+), 0 deletions(-) 

rename question.sh -» thequestion.sh (100$) 
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20.4. git branches 


Working on the project can be done in one or more git branches. Here we create a new 
branch that will make changes to the script. We will merge this branch with the master 
branch when we are sure the script works. (It can be useful to add git status commands 
when practicing). 


paul@debian6~/project42$ git branch 

* master 

paul@debian6~/project42$ git checkout -b newheader 
Switched to a new branch 'newheader' 
paul@debian6~/project42$ vi thequestion.sh 
paul@debian6~/project42$ git add thequestion.sh 
paul@debian6~/project42$ source thequestion.sh 

The answer is 42. 


It seems to work, so we commit in this branch. 


paul@debian6~/project42$ git commit -m "adding a new company header" 
[newheader 730a22b] adding a new company header 
1 file changed, 4 insertions (+) 
paul@debian6~/project42$ git branch 
master 
* newheader 
paul@debian6~/project42$ cat thequestion.sh 
#!/bin/bash 
# 
# copyright linux-training.be 
# 


echo The answer is 42. 


Let us go back to the master branch and see what happened there. 


paul@debian6~/project42$ git checkout master 
Switched to branch 'master' 
paul@debian6~/project42$ cat thequestion.sh 
#!/bin/bash 

echo The answer is 42. 


Nothing happened in the master branch, because we worked in another branch. 


When we are sure the branch is ready for production, then we merge it into the master branch. 


paul@debian6~/project42$ cat thequestion.sh 
#!/bin/bash 
echo The answer is 42. 
paul@debian6~/project42$ git merge newheader 
Updating 69b2c8b..730a22b 
Fast-forward 
thequestion.sh | A rape 
1 file changed, 4 insertions (+) 
paul@debian6~/project42$ cat thequestion.sh 
#!/bin/bash 
# 
# copyright linux-training.be 
# 


echo The answer is 42. 


The newheader branch can now be deleted. 
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paul@debian6~/project42$ git branch 
* master 

newheader 
paul@debian6~/project42$ git branch -d newheader 
Deleted branch newheader (was 730a22b). 
paul@debian6~/project42$ git branch 
* master 


20.5. to be continued... 


The git story is not finished. 


There are many excellent online tutorials for git. This list can save you one Google query: 


http://gitimmersion.com/ 
http://git-scm.com/book 
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20.6. github.com 


Create an account on github.com. This website is a frontend for an immense git server with 
over two and a half million users and almost five million projects (including Fedora, Linux 
kernel, Android, Ruby on Rails, Wine, X.org, VLC...) 


https://github.com/signup/free 


This account is free of charge, we will use it in the examples below. 


20.7. add your public key to github 


I prefer to use github with a public key, so it probably is a good idea that you also upload 
your public key to github.com. 


You can upload your own key via the web interface: 


https://github.com/settings/ssh 


Please do not forget to protect your private key! 
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20.8. practice: git 


1. Create a project on github to host a script that you wrote. Have at least two other people 
improve the script. 
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21.1. about ipv6 


The ipv6 protocol is designed to replace ipv4. Where ip version 4 supports a maximum 
of four billion unique addresses, ip version 6 expands this to four billion times four 
billion times four billion times four billion unique addresses. This is more than 
100.000.000.000.000.000.000 ipv6 addresses per square cm on our planet. That should be 
enough, even if every cell phone, every coffee machine and every pair of socks gets an 
address. 


Technically speaking ipv6 uses 128-bit addresses (instead of the 32-bit from ipv4). 128-bit 
addresses are huge numbers. In decimal it would amount up to 39 digits, in hexadecimal 
it looks like this: 


fe80:0000:0000:0000:0a00:27ff:fe8e:8aa8 
Luckily ipv6 allows us to omit leading zeroes. Our address from above then becomes: 


fe80:0:0:0:a00:27ff:fe8e:8aa8 


When a 16-bit block is zero, it can be written as ::. Consecutive 16-bit blocks that are zero 
can also be written as ::. So our address can from above can be shortened to: 


fe80::a00:27ff:fe8e:8aa8 


This :: can only occur once! The following is not a valid ipv6 address: 


fe80::20:2e4f::39ac 


The ipv6 localhost address is 0000:0000:0000:0000:0000:0000:0000:0001, which can be 
abbreviated to ::1. 


paul@debian5:-/github/lt/images$ /sbin/ifconfig lo | grep inet6 
inet6 addr: :: 1/128 scope: Host 


21.2. network id and host id 


One of the few similarities between ipv4 and ipv6 is that addresses have a host part and a 
network part determined by a subnet mask. Using the cidr notation this looks like this: 


fe80::a00:27ff:fe8e:8aa8/64 


The above address has 64 bits for the host id, theoretically allowing for 4 billion times four 
billion hosts. 


The localhost address looks like this with cidr: 
SAM S 


21.3. host part generation 


The host part of an automatically generated (stateless) ipv6 address contains part of the hosts 
mac address: 


paul@debian5:~$ /sbin/ifconfig | head -3 
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eth3 Link encap:Ethernet HWaddr 08:00:27:ab:67:30 
inet addr: 192.168. 1.29 Beast: 1921681255 Mask:255 255.2550 
inet6 addr: fe80::a00:27ff:feab:6730/64 Scope:Link 


Some people are concerned about privacy here... 


21.4. ipv4 mapped ipv6 address 


Some applications use ipv4 addresses embedded in an ipv6 address. (Yes there will be an 
era of migration with both ipv4 and ipv6 in use.) The ipv6 address then looks like this: 


EEEE: LOA Lo dL 2796 


Indeed a mix of decimal and hexadecimal characters... 


21.5. link local addresses 


ipv6 addresses starting with fe8. can only be used on the local segment (replace the dot with 
an hexadecimal digit). This is the reason you see Scope:Link behind the address in this 
screenshot. This address serves only the local link. 


paul@deb503:~$ /sbin/ifconfig | grep inet6 
inet6 addr: fe80::a00:27ff:fe8e:8aa8/64 Scope:Link 
inet6 addr: ::1/128 Scope:Host 


These link local addresses all begin with fe8.. 


Every ipv6 enabled nic will get an address in this range. 


21.6. unique local addresses 


The now obsolete system of site local addresses similar to ipv4 private ranges is replaced 
with a system of globally unique local ipv6 addresses. This to prevent duplicates when 
joining of networks within site local ranges. 


All unique local addresses strat with fd... 


21.7. globally unique unicast addresses 


Since ipv6 was designed to have multiple ip addresses per interface, the global ipv6 address 
can be used next to the link local address. 


These globally unique addresses all begin with 2... or 3... as the first 16-bits. 


21.8. 6to4 


6to4 is defined in rfc's 2893 and 3056 as one possible way to transition between ipv4 and 
ipv6 by creating an ipv6 tunnel. 


It encodes an ipv4 address in an ipv6 address that starts with 2002. For example 
192.168.1.42/24 will be encoded as: 
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2010/2: Valea arde o RED? 


You can use the command below to convert any ipv4 address to this range. 
paul@ubul010:~$ printf "2002:%02x%02x:%02x%02x%:%04x::1\n" "echo 192.168.1.42/24 \ 


jee "y/n" "^ 
2/002::6088/:0872a1: 0/0 sez 


21.9. ISP 


Should you be so lucky to get an ipv6 address from an isp, then it will start with 2001:. 


21.10. non routable addresses 


Comparable to example.com for DNS, the following ipv6 address ranges are reserved for 
examples, and not routable on the internet. 


SEEE ETE AO. 
20017 Odb8i: :/32 


21.11. ping6 


Use ping6 to test connectivity between ipv6 hosts. You need to specify the interface (there 
is no routing table for 'random' generated ipv6 link local addresses). 


[root@fedoral4 ~]# ping6 -I eth0 fe80::a00:27ff:fecd:7ffc 

PING fe80::a00:27ff:fecd:7ffc(fe80::a00:27ff:fecd:7ffc) from fe80::a00:27ff:fe3c:4346 eth0: 
64 bytes from fe80::a00:27ff:fecd:7ffc: icmp seq-1 ttl1-264 time=0.586 ms 

64 bytes from fe80::a00:27ff:fecd:7ffc: icmp seq-2 ttl1-264 time=3.95 ms 

64 bytes from fe80::a00:27ff:fecd:7ffc: icmp seq-3 ttl1-264 time-1.53 ms 


Below a multicast ping6 that recieves replies from three ip6 hosts on the same network. 


[root@fedoral4 ~]# ping6 -I ethO ff02::1 

PING ff02::1(ff02::1) from fe80::a00:27ff:fe3c:4346 eth0: 56 data bytes 

64 bytes from fe80::a00:27ff:fe3c:4346: icmp seq-1 ttl1-264 time=0.598 ms 

64 bytes from fe80::a00:27ff:fecd:7ffc: icmp seq-1 ttl1-264 time=1.87 ms (DUP!) 
64 bytes from fe80::8e7b:9dff:fed6:dff2: icmp seq-1 tt1=64 time-535 ms (DUP!) 
64 bytes from fe80::a00:27ff:fe3c:4346: icmp seq-2 tt1l=64 time=0.106 ms 

64 bytes from fe80::8e7b:9dff:fed6:dff2: icmp seq-2 ttl1-264 time-1.79 ms (DUP!) 
64 bytes from fe80::a00:27ff:fecd:7ffc: icmp seq-2 ttl=64 time-2.48 ms (DUP!) 
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21.12. Belgium and ipv6 


A lot of information on ipv6 in Belgium can be found at www.ipv6council.be. 


Sites like ipv6.belgium.be, www.bipt.be and www.bricozone.be are enabled for ipv6. Some 
Universities also: fundp.ac.be (Namur) and ulg.ac.be (Liege). 


21.13. other websites 


Other useful websites for testing ipv6 are: 


test-ipv6.com 
ipv6-test.com 


Going to the ipv6-test.com website will test whether you have a valid accessible ipv6 
address. 


2002:51a5:657d::1 
NA 


Address type is 
6to4 


6to4 mapping to IPv4 address 81.165.101.125 


Y our internet connection is IPv4 capable 


81.165.101.125 


d51A 5657D.access.telenet.be 


Going to the test-ipv6.com website will also test whether you have a valid accessible ipv6 
address. 
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Test your IPv6 connectivity. 


] mr 
Summary | | Tests Run | | Technical Info | | Share qe Take Screenshot | = E3) 


A Take Screenshot 
e Your IPv4 address on the public al > Grab the whole desktop 


Your IPv6 address on the public 
Your IPv6 service appears to be: Select area to grab 


O World IPv6 day is June 8th, 2011 pated. owser, at this location. [more info] 
Grab after a delay of 0 seconds 


Congratulations! You appear to have both IPv4 and IPv6 Internet working. If a publisher publishes to IPv6, your browser will 
connect using IPv6. Note: Your browser appears to prefer IPv4 over IPv6 when given the choice. This may in the future affect 
the accuracy of sites who guess at your location. 

You appear to be using a public 6to4 gateway; your router may be providing this to you automatically. Such public gateways 
have no service level agreements; you may see performance problems using such. Better would be to get a native IPv6 address 
from your ISP. [more info] 

Your DNS server (possibly run by your ISP) appears to have no access to the IPv6 Internet, or is not configured to use it. This 


may in the future restrict your ability to reach IPv6-only sites. [more info] N 
Your readiness scores 


7/1 0 for your IPv4 stability and readiness, when publishers offer both IPv4 and IPv6 


© Grab the current window 


7/1 0 for your IPv6 stability and readiness, when publishers are forced to go IPv6 only 


Click to see test data 


241 


Introduction to ipv6 


21.14. 6to4 gateways 


To access ipv4 only websites when on ipv6 you can use sixxs.net (more specifically http:// 
WwWw.sixxs.net/tools/gateway/) as a gatway. 


For example use http://www.slashdot.org.sixxs.org/ instead of http://slashdot.org 


21.15. ping6 and dns 


Below a screenshot of a ping6 from behind a 6to4 connection. 


2002:51a5:657d::1 2001:41d0:2:67d1::7e57:1 ICMPv6 Echo request 
2001:41d0:2:67d1::7e57:1 2002:51a5:657d::1 ICMPv6 Echo reply 
2002:51a5:657d::1 2001:41d0:2:67d1::7e57:1 ICMPv6 Echo request 
2001:41d0:2:67d1::7e57:1 2002:51a5:657d::1 ICMPv6 Echo reply 


21.16. ipv6 and tcp/http 


Below a screenshot of a tcp handshake and http connection over ipv6. 


Source Destination Protocol Info 


21.17. ipv6 PTR record 


As seen in the DNS chapter, ipv6 PTR records are in the ip6.net domain, and have 32 
generations of child domains. 


* Frame 46 (132 bytes on wire, 132 bytes captured) 
b Ethernet II, Src: Apple 5d:2e:52 (00:26:bb:5d:2e:52), Dst: Riverdel cf:6a:10 (00:30:b8:cf:6a:10) 
P Internet Protocol, Src: 81.165.101.125 (81.165.101.125), Dst: 195.130.131.4 (195.130.131.4) 
P User Datagram Protocol, Src Port: 34361 (34361), Dst Port: domain (53) 
v Domain Name System (query) 
[Response In: 47 
Transaction ID: Oxcfe3 
P Flags: 0x0180 (Standard query) 
Questions: 1 
Answer RRs: 0 
Authority RRs: 0 
Additional RRs: 0 
v Queries 
b 1.0.0.0.7.5.e.7.0.0.0.0.0.0.0.0.1.d.7.6.2.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa: type PTR, class IN 


21.18. 6to4 setup on Linux 


Below a transcript of a 6to4 setup on Linux. 


Thanks to http://www.anyweb.co.nz/tutorial/v6Linux6to4 and http://mirrors.bieringer.de/ 
Linux+IPv6-HOWTO/ and tldp.org! 


root@mac:~# ifconfig 
etho Link encap:Ethernet  HWaddr 00:26:bb:5d:2e:52 
inet odar:81. 165.101.125  Bcdast;:255:255.255:255 9 Vk 5 AO 5:129: 0 
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inet6 addr: fe80::226:bbff:fe5d:2e52/64 Scope:Link 

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 

RX packets:5926044 errors:0 dropped:0 overruns:0 frame:0 
TX packets:2985892 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:1000 

RX bytes:4274849823 (4.2 GB) TX bytes:237002019 (237.0 MB) 
Interrupt:43 Base address:0x8000 


ELS) Link encap:Local Loopback 

inet addr:127.0.0-.1 -Mask:255.-0. 0:0 

inete addr: :: 1/128 aS Cope Host 

UP LOOPBACK RUNNING MTU:16436 Metric:1 

RX packets:598 errors:0 dropped:0 overruns:0 frame:0 
TX packets:598 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 

RX bytes:61737 (61.7 KB) TX bytes:61737 (61.7 KB) 


root@mac:~# sysctl -w net.ipv6.conf.default.forwarding-1 
net.ipv6.conf.default.forwarding = 1 
root@mac:~# ip tunnel add tun6to4 mode sit remote any local 81.165.101.125 
root@mac:~# ip link set dev tun6to4 mtu 1472 up 
root@mac:~# ip link show dev tun6to4 
10: tun6to4: «NOARP,UP,LOWER UP» mtu 1472 adisc noqueue state UNKNOWN 
Tink/sit o1. 165. OZ bra 0000 
root@mac:~# ip -6 addr add dev tun6to4 2002:51a5:657d:0::1/64 
root@mac:~# ip -6 addr add dev eth0 2002:51a5:657d:1::1/64 
root@mac:~# ip -6 addr add dev eth0 fdcb:43c1:9c18:1::1/64 
root@mac:~# ifconfig 
eth0 Link encap:Ethernet HWaddr 00:26:bb:5d:2e:52 
inet adar:81.165:1L01:125  BCASE: 2552065 265 255 Mask:255. 2557248: 0 
inet6 addr: fe80::226:bbff:fe5d:2e52/64 Scope:Link 
inet6 addr: fdcb:43c1:9c18:1::1/64 Scope:Global 
inet6 addr: 2002:51a5:657d:1::1/64 Scope:Global 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:5927436 errors:0 dropped:0 overruns:0 frame:0 
TX packets:2986025 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:1000 
RX bytes:4274948430 (4.2 GB) TX bytes:237014619 (237.0 MB) 
Interrupt:43 Base address:0x8000 


IL: Link encap:Local Loopback 

inet addr:127.0.0.1 —Mask:255.-0. 0% 0 

inet6 addr: ::1/128 Scope:Host 

UP LOOPBACK RUNNING MTU:16436 Metric:1 

RX packets:598 errors:0 dropped:0 overruns:0 frame:0 
TX packets:598 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 

RX bytes:61737 (61.7 KB) TX bytes:61737 (61.7 KB) 


tun6to4 Link encap:IPv6-in-IPv4 

¡neto addr: ::81. 165. 101.1257128 Scope: Compat 

inet6 addr: 2002:51a5:657d::1/64 Scope:Global 

UP RUNNING NOARP MTU:1472 Metric:1 

RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 


root@mac:~# ip -6 route add 2002::/16 dev tun6to4 

root@mac:~# ip -6 route add ::/0 via ::192.88.99.1 dev tun6to4 metric 1 

root@mac:~# ip -6 route show 

::/96 via :: dev tun6to4 metric 256 mtu 1472 advmss 1412 hoplimit 0 

2002:51a5:657d::/64 dev tun6to4 proto kernel metric 256 mtu 1472 advmss 1412 hoplimit 0 
2002:51a5:657d:1::/64 dev ethO proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 
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2002::/16 dev tun6to4 metric 1024 mtu 1472 advmss 1412 hoplimit 0 

fdcb:43c1:9c18:1::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 

fe80::/64 dev tun6to4 proto kernel metric 256 mtu 1472 advmss 1412 hoplimit 0 

default via ::192.88.99.1 dev tun6to4 metric 1 mtu 1472 advmss 1412 hoplimit 0 
root@mac:~# ping6 ipv6-test.com 

PING ipv6-test.com(ipv6-test.com) 56 data bytes 


64 bytes from ipv6-test.com: icmp seq-1 ttl-57 time-42.4 ms 
64 bytes from ipv6-test.com: icmp seq-2 ttl-57 time-43.0 ms 
64 bytes from ipvó6-test.com: icmp seq-3 ttl-57 time=43.5 ms 
64 bytes from ipv6-test.com: icmp seq-4 ttl1-57 time-43.9 ms 
64 bytes from ipv6-test.com: icmp seq-5 ttl-57 time-45.6 ms 


ale! 

=== ipv- test COM ping statisties === 

5 packets transmitted, 5 received, 0% packet loss, time 4006ms 
rtt min/avg/max/mdev = 42.485/43.717/45.632/1.091 ms 
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Appendix A. cloning 
A.1. About cloning 


You can have distinct goals for cloning a server. For instance a clone can be a cold iron 
backup system used for manual disaster recovery of a service. Or a clone can be created to 
serve in a test environment. Or you might want to make an almost identical server. Let's take 
a look at some offline and online ways to create a clone of a Linux server. 


A.2. About offline cloning 


The term offline cloning is used when you power off the running Linux server to create the 
clone. This method is easy since we don't have to consider open files and we don't have to 
skip virtual file systems like /dev or /sys . The offline cloning method can be broken down 
into these steps: 


1. Boot source and target server with a bootable CD 
2. Partition, format and mount volumes on the target server 
3. Copy files/partitions from source to target over the network 


The first step is trivial. The second step is explained in the Disk Management chapter. For 
the third step, you can use a combination of ssh or netcat with cp, dd, dump and restore, 
tar, cpio, rsync or even cat. 


A.3. Offline cloning example 


We have a working Red Hat Enterprise Linux 5 server, and we want a perfect copy of it on 
newer hardware. First thing to do is discover the disk layout. 


[root@RHEL5 ~]# df -h 


Filesystem Size Used Avail Use$ Mounted on 
/ dev/sda2 T5G 4.56 19:36 3997 
/dev/sdal 99M 31M 64M 33$ /boot 


The /boot partition is small but big enough. If we create an identical partition, then dd should 
be a good cloning option. Suppose the / partition needs to be enlarged on the target system. 
The best option then is to use a combination of dump and restore. Remember that dd copies 
blocks, whereas dump/restore copies files. 


The first step to do is to boot the target server with a live CD and partition the target disk. 
To do this we use the Red Hat Enterprise Linux 5 install CD. At the CD boot prompt we 
type "linux rescue". The cd boots into a root console where we can use fdisk to discover 
and prepare the attached disks. 


When the partitions are created and have their filesystem, then we can use dd to copy the / 
boot partition. 
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ssh root@192.168.1.40 "dd if-/dev/sdal" | dd of-/dev/sdal 


Then we use a dump and restore combo to copy the / partition. 


mkdir /mnt/x 

mount /dev/sda2 /mnt/x 

cd /mnt/x 

ssh root@192.168.1.40 "dump -0 -f - /" | restore -r -f - 
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Appendix B. License 


GNU Free Documentation License 
Version 1.3, 3 November 2008 
Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. 


Everyone is permitted to copy and distribute verbatim copies of this 
license document, but changing it is not allowed. 


0. PREAMBLE 


The purpose of this License is to make a manual, textbook, or other 
functional and useful document "free" in the sense of freedom: to 
assure everyone the effective freedom to copy and redistribute it, 
with or without modifying it, either commercially or noncommercially. 
Secondarily, this License preserves for the author and publisher a way 
to get credit for their work, while not being considered responsible 
for modifications made by others. 


This License is a kind of "copyleft", which means that derivative 
works of the document must themselves be free in the same sense. It 
complements the GNU General Public License, which is a copyleft 
license designed for free software. 


We have designed this License in order to use it for manuals for free 
software, because free software needs free documentation: a free 
program should come with manuals providing the same freedoms that the 
Software does. But this License is not limited to software manuals; it 
can be used for any textual work, regardless of subject matter or 
whether it is published as a printed book. We recommend this License 
principally for works whose purpose is instruction or reference. 


1. APPLICABILITY AND DEFINITIONS 


This License applies to any manual or other work, in any medium, that 
contains a notice placed by the copyright holder saying it can be 
distributed under the terms of this License. Such a notice grants a 
world-wide, royalty-free license, unlimited in duration, to use that 
work under the conditions stated herein. The "Document", below, refers 
to any such manual or work. Any member of the public is a licensee, 
and is addressed as "you". You accept the license if you copy, modify 
or distribute the work in a way requiring permission under copyright 
law. 


A "Modified Version" of the Document means any work containing the 
Document or a portion of it, either copied verbatim, or with 
modifications and/or translated into another language. 


A "Secondary Section" is a named appendix or a front-matter section of 
the Document that deals exclusively with the relationship of the 
publishers or authors of the Document to the Document's overall 
subject (or to related matters) and contains nothing that could fall 
directly within that overall subject. (Thus, if the Document is in 
part a textbook of mathematics, a Secondary Section may not explain 
any mathematics.) The relationship could be a matter of historical 
connection with the subject or with related matters, or of legal, 
commercial, philosophical, ethical or political position regarding 
them. 


The "Invariant Sections" are certain Secondary Sections whose titles 
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are designated, as being those of Invariant Sections, in the notice 
that says that the Document is released under this License. If a 
section does not fit the above definition of Secondary then it is not 
allowed to be designated as Invariant. The Document may contain zero 
Invariant Sections. If the Document does not identify any Invariant 
Sections then there are none. 


The "Cover Texts" are certain short passages of text that are listed, 
as Front-Cover Texts or Back-Cover Texts, in the notice that says that 
the Document is released under this License. A Front-Cover Text may be 
at most 5 words, and a Back-Cover Text may be at most 25 words. 


A "Transparent" copy of the Document means a machine-readable copy, 
represented in a format whose specification is available to the 
general public, that is suitable for revising the document 
straightforwardly with generic text editors or (for images composed of 
pixels) generic paint programs or (for drawings) some widely available 
drawing editor, and that is suitable for input to text formatters or 
for automatic translation to a variety of formats suitable for input 
to text formatters. A copy made in an otherwise Transparent file 
format whose markup, or absence of markup, has been arranged to thwart 
or discourage subsequent modification by readers is not Transparent. 
An image format is not Transparent if used for any substantial amount 
of text. A copy that is not "Transparent" is called "Opaque". 


Examples of suitable formats for Transparent copies include plain 
ASCII without markup, Texinfo input format, LaTeX input format, SGML 
or XML using a publicly available DTD, and standard-conforming simple 
HTML, PostScript or PDF designed for human modification. Examples of 
transparent image formats include PNG, XCF and JPG. Opaque formats 
include proprietary formats that can be read and edited only by 
proprietary word processors, SGML or XML for which the DTD and/or 
processing tools are not generally available, and the 
machine-generated HTML, PostScript or PDF produced by some word 
processors for output purposes only. 


The "Title Page" means, for a printed book, the title page itself, 
plus such following pages as are needed to hold, legibly, the material 
this License requires to appear in the title page. For works in 
formats which do not have any title page as such, "Title Page" means 
the text near the most prominent appearance of the work's title, 
preceding the beginning of the body of the text. 


The "publisher" means any person or entity that distributes copies of 
the Document to the public. 


A section "Entitled XYZ" means a named subunit of the Document whose 
title either is precisely XYZ or contains XYZ in parentheses following 
text that translates XYZ in another language. (Here XYZ stands for a 
Specific section name mentioned below, such as "Acknowledgements", 
"Dedications", "Endorsements", or "History".) To "Preserve the Title" 
of such a section when you modify the Document means that it remains a 
section "Entitled XYZ" according to this definition. 


The Document may include Warranty Disclaimers next to the notice which 
states that this License applies to the Document. These Warranty 
Disclaimers are considered to be included by reference in this 
License, but only as regards disclaiming warranties: any other 
implication that these Warranty Disclaimers may have is void and has 
no effect on the meaning of this License. 


2. VERBATIM COPYING 


You may copy and distribute the Document in any medium, either 
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commercially or noncommercially, provided that this License, the 
copyright notices, and the license notice saying this License applies 
to the Document are reproduced in all copies, and that you add no 
other conditions whatsoever to those of this License. You may not use 
technical measures to obstruct or control the reading or further 
copying of the copies you make or distribute. However, you may accept 
compensation in exchange for copies. If you distribute a large enough 
number of copies you must also follow the conditions in section 3. 


You may also lend copies, under the same conditions stated above, and 
you may publicly display copies. 


3. COPYING IN QUANTITY 


If you publish printed copies (or copies in media that commonly have 
printed covers) of the Document, numbering more than 100, and the 
Document's license notice requires Cover Texts, you must enclose the 
copies in covers that carry, clearly and legibly, all these Cover 
Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on 
the back cover. Both covers must also clearly and legibly identify you 
as the publisher of these copies. The front cover must present the 
full title with all words of the title equally prominent and visible. 
You may add other material on the covers in addition. Copying with 
changes limited to the covers, as long as they preserve the title of 
the Document and satisfy these conditions, can be treated as verbatim 
copying in other respects. 


If the required texts for either cover are too voluminous to fit 
legibly, you should put the first ones listed (as many as fit 
reasonably) on the actual cover, and continue the rest onto adjacent 
pages. 


If you publish or distribute Opaque copies of the Document numbering 
more than 100, you must either include a machine-readable Transparent 
copy along with each Opaque copy, or state in or with each Opaque copy 
a computer-network location from which the general network-using 
public has access to download using public-standard network protocols 
a complete Transparent copy of the Document, free of added material. 
If you use the latter option, you must take reasonably prudent steps, 
when you begin distribution of Opaque copies in quantity, to ensure 
that this Transparent copy will remain thus accessible at the stated 
location until at least one year after the last time you distribute an 
Opaque copy (directly or through your agents or retailers) of that 
edition to the public. 


It is requested, but not required, that you contact the authors of the 
Document well before redistributing any large number of copies, to 
give them a chance to provide you with an updated version of the 
Document. 


4. MODIFICATIONS 


You may copy and distribute a Modified Version of the Document under 
the conditions of sections 2 and 3 above, provided that you release 
the Modified Version under precisely this License, with the Modified 
Version filling the role of the Document, thus licensing distribution 
and modification of the Modified Version to whoever possesses a copy 
of it. In addition, you must do these things in the Modified Version: 


* A. Use in the Title Page (and on the covers, if any) a title 
distinct from that of the Document, and from those of previous 
versions (which should, if there were any, be listed in the History 
section of the Document). You may use the same title as a previous 
version if the original publisher of that version gives permission. 
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* B. List on the Title Page, as authors, one or more persons or 
entities responsible for authorship of the modifications in the 
Modified Version, together with at least five of the principal authors 
of the Document (all of its principal authors, if it has fewer than 
five), unless they release you from this requirement. 

* C. State on the Title page the name of the publisher of the 
Modified Version, as the publisher. 

* D. Preserve all the copyright notices of the Document. 

* E. Add an appropriate copyright notice for your modifications 
adjacent to the other copyright notices. 

* F. Include, immediately after the copyright notices, a license 
notice giving the public permission to use the Modified Version under 
the terms of this License, in the form shown in the Addendum below. 

* G. Preserve in that license notice the full lists of Invariant 
Sections and required Cover Texts given in the Document's license 
notice. 

* H. Include an unaltered copy of this License. 

* I. Preserve the section Entitled "History", Preserve its Title, 
and add to it an item stating at least the title, year, new authors, 
and publisher of the Modified Version as given on the Title Page. If 
there is no section Entitled "History" in the Document, create one 
stating the title, year, authors, and publisher of the Document as 
given on its Title Page, then add an item describing the Modified 
Version as stated in the previous sentence. 

* J. Preserve the network location, if any, given in the Document 
for public access to a Transparent copy of the Document, and likewise 
the network locations given in the Document for previous versions it 
was based on. These may be placed in the "History" section. You may 
omit a network location for a work that was published at least four 
years before the Document itself, or if the original publisher of the 
version it refers to gives permission. 

* K. For any section Entitled "Acknowledgements" or "Dedications", 
Preserve the Title of the section, and preserve in the section all the 
substance and tone of each of the contributor acknowledgements and/or 
dedications given therein. 

* L. Preserve all the Invariant Sections of the Document, 
unaltered in their text and in their titles. Section numbers or the 
equivalent are not considered part of the section titles. 

* M. Delete any section Entitled "Endorsements". Such a section 
may not be included in the Modified Version. 

* N. Do not retitle any existing section to be Entitled 
"Endorsements" or to conflict in title with any Invariant Section. 

* O. Preserve any Warranty Disclaimers. 


If the Modified Version includes new front-matter sections or 
appendices that qualify as Secondary Sections and contain no material 
copied from the Document, you may at your option designate some or all 
of these sections as invariant. To do this, add their titles to the 
list of Invariant Sections in the Modified Version's license notice. 
These titles must be distinct from any other section titles. 


You may add a section Entitled "Endorsements", provided it contains 
nothing but endorsements of your Modified Version by various 
parties-for example, statements of peer review or that the text has 
been approved by an organization as the authoritative definition of a 
standard. 


You may add a passage of up to five words as a Front-Cover Text, and a 
passage of up to 25 words as a Back-Cover Text, to the end of the list 
of Cover Texts in the Modified Version. Only one passage of 
Front-Cover Text and one of Back-Cover Text may be added by (or 
through arrangements made by) any one entity. If the Document already 
includes a cover text for the same cover, previously added by you or 
by arrangement made by the same entity you are acting on behalf of, 
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you may not add another; but you may replace the old one, on explicit 
permission from the previous publisher that added the old one. 


The author(s) and publisher(s) of the Document do not by this License 
give permission to use their names for publicity for or to assert or 
imply endorsement of any Modified Version. 


5. COMBINING DOCUMENTS 


You may combine the Document with other documents released under this 
License, under the terms defined in section 4 above for modified 
versions, provided that you include in the combination all of the 
Invariant Sections of all of the original documents, unmodified, and 
list them all as Invariant Sections of your combined work in its 
license notice, and that you preserve all their Warranty Disclaimers. 


The combined work need only contain one copy of this License, and 
multiple identical Invariant Sections may be replaced with a single 
copy. If there are multiple Invariant Sections with the same name but 
different contents, make the title of each such section unique by 
adding at the end of it, in parentheses, the name of the original 
author or publisher of that section if known, or else a unique number. 
Make the same adjustment to the section titles in the list of 
Invariant Sections in the license notice of the combined work. 


In the combination, you must combine any sections Entitled "History" 
in the various original documents, forming one section Entitled 
"History"; likewise combine any sections Entitled "Acknowledgements", 
and any sections Entitled "Dedications". You must delete all sections 
Entitled "Endorsements". 


6. COLLECTIONS OF DOCUMENTS 


You may make a collection consisting of the Document and other 
documents released under this License, and replace the individual 
copies of this License in the various documents with a single copy 
that is included in the collection, provided that you follow the rules 
of this License for verbatim copying of each of the documents in all 
other respects. 


You may extract a single document from such a collection, and 
distribute it individually under this License, provided you insert a 
copy of this License into the extracted document, and follow this 
License in all other respects regarding verbatim copying of that 
document. 


7. AGGREGATION WITH INDEPENDENT WORKS 


A compilation of the Document or its derivatives with other separate 
and independent documents or works, in or on a volume of a storage or 
distribution medium, is called an "aggregate" if the copyright 
resulting from the compilation is not used to limit the legal rights 
of the compilation's users beyond what the individual works permit. 
When the Document is included in an aggregate, this License does not 
apply to the other works in the aggregate which are not themselves 
derivative works of the Document. 


If the Cover Text requirement of section 3 is applicable to these 
copies of the Document, then if the Document is less than one half of 
the entire aggregate, the Document's Cover Texts may be placed on 
covers that bracket the Document within the aggregate, or the 
electronic equivalent of covers if the Document is in electronic form. 
Otherwise they must appear on printed covers that bracket the whole 
aggregate. 
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8. TRANSLATION 


Translation is considered a kind of modification, so you may 
distribute translations of the Document under the terms of section 4. 
Replacing Invariant Sections with translations requires special 
permission from their copyright holders, but you may include 
translations of some or all Invariant Sections in addition to the 
original versions of these Invariant Sections. You may include a 
translation of this License, and all the license notices in the 
Document, and any Warranty Disclaimers, provided that you also include 
the original English version of this License and the original versions 
of those notices and disclaimers. In case of a disagreement between 
the translation and the original version of this License or a notice 
or disclaimer, the original version will prevail. 


If a section in the Document is Entitled "Acknowledgements", 
"Dedications", or "History", the requirement (section 4) to Preserve 
its Title (section 1) will typically require changing the actual 
title. 


9. TERMINATION 


You may not copy, modify, sublicense, or distribute the Document 
except as expressly provided under this License. Any attempt otherwise 
to copy, modify, sublicense, or distribute it is void, and will 
automatically terminate your rights under this License. 


However, if you cease all violation of this License, then your license 
from a particular copyright holder is reinstated (a) provisionally, 
unless and until the copyright holder explicitly and finally 
terminates your license, and (b) permanently, if the copyright holder 
fails to notify you of the violation by some reasonable means prior to 
60 days after the cessation. 


Moreover, your license from a particular copyright holder is 
reinstated permanently if the copyright holder notifies you of the 
violation by some reasonable means, this is the first time you have 
received notice of violation of this License (for any work) from that 
copyright holder, and you cure the violation prior to 30 days after 
your receipt of the notice. 


Termination of your rights under this section does not terminate the 
licenses of parties who have received copies or rights from you under 
this License. If your rights have been terminated and not permanently 
reinstated, receipt of a copy of some or all of the same material does 
not give you any rights to use it. 


10. FUTURE REVISIONS OF THIS LICENSE 


The Free Software Foundation may publish new, revised versions of the 
GNU Free Documentation License from time to time. Such new versions 
will be similar in spirit to the present version, but may differ in 
detail to address new problems or concerns. See 
http://www.gnu.org/copyleft/. 


Each version of the License is given a distinguishing version number. 
If the Document specifies that a particular numbered version of this 
License "or any later version" applies to it, you have the option of 
following the terms and conditions either of that specified version or 
of any later version that has been published (not as a draft) by the 
Free Software Foundation. If the Document does not specify a version 
number of this License, you may choose any version ever published (not 
as a draft) by the Free Software Foundation. If the Document specifies 
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that a proxy can decide which future versions of this License can be 
used, that proxy's public statement of acceptance of a version 
permanently authorizes you to choose that version for the Document. 


11. RELICENSING 


"Massive Multiauthor Collaboration Site" (or "MMC Site") means any 
World Wide Web server that publishes copyrightable works and also 
provides prominent facilities for anybody to edit those works. A 
public wiki that anybody can edit is an example of such a server. A 
"Massive Multiauthor Collaboration" (or "MMC") contained in the site 
means any set of copyrightable works thus published on the MMC site. 


"CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0 
license published by Creative Commons Corporation, a not-for-profit 
corporation with a principal place of business in San Francisco, 
California, as well as future copyleft versions of that license 
published by that same organization. 


"Incorporate" means to publish or republish a Document, in whole or in 
part, as part of another Document. 


An MMC is "eligible for relicensing" if it is licensed under this 
License, and if all works that were first published under this License 
somewhere other than this MMC, and subsequently incorporated in whole 
or in part into the MMC, (1) had no cover texts or invariant sections, 
and (2) were thus incorporated prior to November 1, 2008. 


The operator of an MMC Site may republish an MMC contained in the site 
under CC-BY-SA on the same site at any time before August 1, 2009, 
provided the MMC is eligible for relicensing. 
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